Malware Analysis Report

2025-05-05 21:45

Sample ID 221220-nr9clace7w
Target 3ac7b32c46a0fc9a6b97aaa3bb18c06c8212d8869f87f0d2bb712ffbcb826967
SHA256 3ac7b32c46a0fc9a6b97aaa3bb18c06c8212d8869f87f0d2bb712ffbcb826967
Tags
danabot smokeloader systembc backdoor banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3ac7b32c46a0fc9a6b97aaa3bb18c06c8212d8869f87f0d2bb712ffbcb826967

Threat Level: Known bad

The file 3ac7b32c46a0fc9a6b97aaa3bb18c06c8212d8869f87f0d2bb712ffbcb826967 was found to be: Known bad.

Malicious Activity Summary

danabot smokeloader systembc backdoor banker trojan

SmokeLoader

SystemBC

Danabot

Detects Smokeloader packer

Blocklisted process makes network request

Executes dropped EXE

Downloads MZ/PE file

Deletes itself

Loads dropped DLL

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Checks processor information in registry

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-20 11:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-20 11:39

Reported

2022-12-20 11:41

Platform

win10-20220901-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ac7b32c46a0fc9a6b97aaa3bb18c06c8212d8869f87f0d2bb712ffbcb826967.exe"

Signatures

Danabot

trojan banker danabot

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

SystemBC

trojan systembc

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 780 set thread context of 4604 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\mhbf.job C:\Users\Admin\AppData\Local\Temp\60BE.exe N/A
File opened for modification C:\Windows\Tasks\mhbf.job C:\Users\Admin\AppData\Local\Temp\60BE.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3ac7b32c46a0fc9a6b97aaa3bb18c06c8212d8869f87f0d2bb712ffbcb826967.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3ac7b32c46a0fc9a6b97aaa3bb18c06c8212d8869f87f0d2bb712ffbcb826967.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3ac7b32c46a0fc9a6b97aaa3bb18c06c8212d8869f87f0d2bb712ffbcb826967.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\gufvdui N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\gufvdui N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\gufvdui N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Toolbar N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009455fa5c100054656d7000003a0009000400efbe2155a8849455fa5c2e000000000000000000000000000000000000000000000000004508bc00540065006d007000000014000000 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ac7b32c46a0fc9a6b97aaa3bb18c06c8212d8869f87f0d2bb712ffbcb826967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ac7b32c46a0fc9a6b97aaa3bb18c06c8212d8869f87f0d2bb712ffbcb826967.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ac7b32c46a0fc9a6b97aaa3bb18c06c8212d8869f87f0d2bb712ffbcb826967.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\gufvdui N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2108 wrote to memory of 3404 N/A N/A C:\Users\Admin\AppData\Local\Temp\3009.exe
PID 2108 wrote to memory of 3404 N/A N/A C:\Users\Admin\AppData\Local\Temp\3009.exe
PID 2108 wrote to memory of 3404 N/A N/A C:\Users\Admin\AppData\Local\Temp\3009.exe
PID 3404 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\3009.exe C:\Windows\SysWOW64\rundll32.exe
PID 3404 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\3009.exe C:\Windows\SysWOW64\rundll32.exe
PID 3404 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\3009.exe C:\Windows\SysWOW64\rundll32.exe
PID 2108 wrote to memory of 4676 N/A N/A C:\Users\Admin\AppData\Local\Temp\60BE.exe
PID 2108 wrote to memory of 4676 N/A N/A C:\Users\Admin\AppData\Local\Temp\60BE.exe
PID 2108 wrote to memory of 4676 N/A N/A C:\Users\Admin\AppData\Local\Temp\60BE.exe
PID 780 wrote to memory of 4604 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 780 wrote to memory of 4604 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 780 wrote to memory of 4604 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3ac7b32c46a0fc9a6b97aaa3bb18c06c8212d8869f87f0d2bb712ffbcb826967.exe

"C:\Users\Admin\AppData\Local\Temp\3ac7b32c46a0fc9a6b97aaa3bb18c06c8212d8869f87f0d2bb712ffbcb826967.exe"

C:\Users\Admin\AppData\Local\Temp\3009.exe

C:\Users\Admin\AppData\Local\Temp\3009.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye

C:\Users\Admin\AppData\Local\Temp\60BE.exe

C:\Users\Admin\AppData\Local\Temp\60BE.exe

C:\Users\Admin\AppData\Roaming\gufvdui

C:\Users\Admin\AppData\Roaming\gufvdui

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14138

C:\ProgramData\lahp\mhbf.exe

C:\ProgramData\lahp\mhbf.exe start

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 dowe.at udp
N/A 91.195.240.101:80 dowe.at tcp
N/A 8.8.8.8:53 xisac.com udp
N/A 187.156.18.69:80 xisac.com tcp
N/A 187.156.18.69:80 xisac.com tcp
N/A 187.156.18.69:80 xisac.com tcp
N/A 20.42.73.27:443 tcp
N/A 187.156.18.69:80 xisac.com tcp
N/A 187.156.18.69:80 xisac.com tcp
N/A 45.141.58.129:80 45.141.58.129 tcp
N/A 187.156.18.69:80 xisac.com tcp
N/A 187.156.18.69:80 xisac.com tcp
N/A 187.156.18.69:80 xisac.com tcp
N/A 187.156.18.69:80 xisac.com tcp
N/A 187.156.18.69:80 xisac.com tcp
N/A 187.156.18.69:80 xisac.com tcp
N/A 23.236.181.126:443 23.236.181.126 tcp
N/A 84.53.175.11:80 tcp
N/A 187.156.18.69:80 xisac.com tcp
N/A 187.156.18.69:80 xisac.com tcp
N/A 187.156.18.69:80 xisac.com tcp
N/A 187.156.18.69:80 xisac.com tcp
N/A 8.8.8.8:53 bitleague.live udp
N/A 198.38.91.55:443 bitleague.live tcp
N/A 187.156.18.69:80 xisac.com tcp
N/A 187.156.18.69:80 xisac.com tcp
N/A 127.0.0.1:14138 tcp
N/A 127.0.0.1:1312 tcp
N/A 109.205.214.18:443 tcp
N/A 23.236.181.126:443 tcp

Files

memory/2744-120-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-121-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-122-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-123-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-124-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-125-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-126-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-127-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-128-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-129-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-130-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-131-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-132-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-133-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-134-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-136-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-137-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-138-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-139-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-140-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-141-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-142-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-143-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-144-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-145-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-146-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-148-0x00000000004B0000-0x00000000005FA000-memory.dmp

memory/2744-147-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-149-0x0000000002170000-0x0000000002179000-memory.dmp

memory/2744-150-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-151-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2744-152-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-153-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-154-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-155-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-156-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2744-157-0x0000000000400000-0x000000000045F000-memory.dmp

memory/3404-158-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3009.exe

MD5 be1369ec379e0ec8dd84be3d5a26ac00
SHA1 ee6832ff5c366b22291778d8c314f0d4ec6b1225
SHA256 4162582a729874d7ae84b69bb265fcc1a26ef2635de322bc60c18db397f20912
SHA512 4b1546ac4017772a97d5c16be5be988ce31f64161a4df2ed39d4fcab6590616f8268f8cc3d193a9b50c0ebecf7505a445554a5897dd5ff29f1eda6437194b171

memory/3404-160-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/3404-161-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/3404-163-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/3404-162-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/3404-164-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/3404-165-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/3404-168-0x0000000076F80000-0x000000007710E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3009.exe

MD5 be1369ec379e0ec8dd84be3d5a26ac00
SHA1 ee6832ff5c366b22291778d8c314f0d4ec6b1225
SHA256 4162582a729874d7ae84b69bb265fcc1a26ef2635de322bc60c18db397f20912
SHA512 4b1546ac4017772a97d5c16be5be988ce31f64161a4df2ed39d4fcab6590616f8268f8cc3d193a9b50c0ebecf7505a445554a5897dd5ff29f1eda6437194b171

memory/3404-170-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/3404-171-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/3404-174-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/3404-173-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/3404-172-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/3404-175-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/3404-169-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/3404-166-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2108-178-0x00000000015D0000-0x00000000015E0000-memory.dmp

memory/2108-180-0x0000000001600000-0x0000000001610000-memory.dmp

memory/2108-183-0x0000000001600000-0x0000000001610000-memory.dmp

memory/2108-185-0x0000000001600000-0x0000000001610000-memory.dmp

memory/2108-188-0x0000000001600000-0x0000000001610000-memory.dmp

memory/2108-187-0x0000000001600000-0x0000000001610000-memory.dmp

memory/2108-186-0x0000000001600000-0x0000000001610000-memory.dmp

memory/2108-191-0x0000000001600000-0x0000000001610000-memory.dmp

memory/2108-192-0x00000000015D0000-0x00000000015E0000-memory.dmp

memory/2108-195-0x00000000015A0000-0x00000000015B0000-memory.dmp

memory/2108-198-0x0000000001600000-0x0000000001610000-memory.dmp

memory/2108-199-0x0000000001600000-0x0000000001610000-memory.dmp

memory/2108-201-0x0000000001600000-0x0000000001610000-memory.dmp

memory/2108-202-0x0000000001600000-0x0000000001610000-memory.dmp

memory/2108-200-0x0000000001600000-0x0000000001610000-memory.dmp

memory/2108-197-0x0000000001620000-0x0000000001630000-memory.dmp

memory/2108-207-0x0000000001600000-0x0000000001610000-memory.dmp

memory/2108-206-0x0000000001600000-0x0000000001610000-memory.dmp

memory/2108-194-0x0000000001600000-0x0000000001610000-memory.dmp

memory/2108-208-0x0000000001600000-0x0000000001610000-memory.dmp

memory/2108-210-0x0000000001600000-0x0000000001610000-memory.dmp

memory/2108-212-0x0000000001620000-0x0000000001630000-memory.dmp

memory/2108-211-0x0000000001620000-0x0000000001630000-memory.dmp

memory/3404-227-0x00000000021B0000-0x00000000022AB000-memory.dmp

memory/3404-229-0x0000000002390000-0x00000000024C0000-memory.dmp

memory/3404-231-0x0000000000400000-0x000000000053E000-memory.dmp

memory/780-242-0x0000000000000000-mapping.dmp

memory/3404-245-0x0000000000400000-0x000000000053E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

MD5 24925b25552a7d8f1d3292071e545920
SHA1 f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA256 9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512 242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

MD5 24925b25552a7d8f1d3292071e545920
SHA1 f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA256 9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512 242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

memory/4676-325-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\60BE.exe

MD5 cdc67700f25eaed1417264c4bdec03d3
SHA1 56639e9414e6ee8394d940d62778475ddf071290
SHA256 fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100
SHA512 a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

memory/2108-328-0x0000000001620000-0x0000000001630000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\60BE.exe

MD5 cdc67700f25eaed1417264c4bdec03d3
SHA1 56639e9414e6ee8394d940d62778475ddf071290
SHA256 fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100
SHA512 a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

memory/2108-345-0x0000000001620000-0x0000000001630000-memory.dmp

memory/2108-344-0x0000000001620000-0x0000000001630000-memory.dmp

memory/4676-385-0x00000000004C0000-0x000000000056E000-memory.dmp

memory/4676-386-0x00000000004C0000-0x000000000056E000-memory.dmp

memory/4676-387-0x0000000000400000-0x000000000045F000-memory.dmp

memory/780-407-0x00000000070C0000-0x00000000077E5000-memory.dmp

C:\Users\Admin\AppData\Roaming\gufvdui

MD5 159bf3c1b8387fdd3ccdc293b8d5e9d2
SHA1 5b23664c1b8b6c835e5067b90e07687aab4979a4
SHA256 3ac7b32c46a0fc9a6b97aaa3bb18c06c8212d8869f87f0d2bb712ffbcb826967
SHA512 145435b9af204328fa2cb4f7823fe2cf74948fa7bfa1b82f910e3e9769d346dc7985730b526bc913d6286fb83de43e74d7a23c224ff3013069c9afc48ed137cf

C:\Users\Admin\AppData\Roaming\gufvdui

MD5 159bf3c1b8387fdd3ccdc293b8d5e9d2
SHA1 5b23664c1b8b6c835e5067b90e07687aab4979a4
SHA256 3ac7b32c46a0fc9a6b97aaa3bb18c06c8212d8869f87f0d2bb712ffbcb826967
SHA512 145435b9af204328fa2cb4f7823fe2cf74948fa7bfa1b82f910e3e9769d346dc7985730b526bc913d6286fb83de43e74d7a23c224ff3013069c9afc48ed137cf

memory/4604-433-0x00007FF7FBD95FD0-mapping.dmp

memory/4604-438-0x0000000000D50000-0x0000000000F69000-memory.dmp

memory/4604-439-0x000001EA42FD0000-0x000001EA431FA000-memory.dmp

C:\ProgramData\lahp\mhbf.exe

MD5 cdc67700f25eaed1417264c4bdec03d3
SHA1 56639e9414e6ee8394d940d62778475ddf071290
SHA256 fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100
SHA512 a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

C:\ProgramData\lahp\mhbf.exe

MD5 cdc67700f25eaed1417264c4bdec03d3
SHA1 56639e9414e6ee8394d940d62778475ddf071290
SHA256 fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100
SHA512 a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

memory/4676-458-0x00000000004C0000-0x000000000056E000-memory.dmp

memory/4676-460-0x00000000004C0000-0x000000000056E000-memory.dmp

memory/1640-477-0x0000000000716000-0x0000000000727000-memory.dmp

memory/1640-478-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2256-511-0x00000000004C0000-0x000000000060A000-memory.dmp

memory/2256-512-0x00000000004C0000-0x000000000056E000-memory.dmp

memory/2256-513-0x0000000000400000-0x000000000045F000-memory.dmp

memory/780-514-0x00000000070C0000-0x00000000077E5000-memory.dmp

memory/1640-515-0x0000000000716000-0x0000000000727000-memory.dmp

memory/1640-516-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2256-518-0x00000000004C0000-0x000000000060A000-memory.dmp

memory/2256-519-0x00000000004C0000-0x000000000056E000-memory.dmp