Malware Analysis Report

2025-05-05 21:45

Sample ID 221220-q9pf9ach7v
Target b747dda36be7c0d51dd011728418e184b0dd163c51a53d3fb22e92e596147979
SHA256 b747dda36be7c0d51dd011728418e184b0dd163c51a53d3fb22e92e596147979
Tags
danabot smokeloader systembc backdoor banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b747dda36be7c0d51dd011728418e184b0dd163c51a53d3fb22e92e596147979

Threat Level: Known bad

The file b747dda36be7c0d51dd011728418e184b0dd163c51a53d3fb22e92e596147979 was found to be: Known bad.

Malicious Activity Summary

danabot smokeloader systembc backdoor banker trojan

Danabot

SystemBC

SmokeLoader

Detects Smokeloader packer

Downloads MZ/PE file

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Deletes itself

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-20 13:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-20 13:57

Reported

2022-12-20 14:00

Platform

win10-20220812-en

Max time kernel

150s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b747dda36be7c0d51dd011728418e184b0dd163c51a53d3fb22e92e596147979.exe"

Signatures

Danabot

trojan banker danabot

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

SystemBC

trojan systembc

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4308 set thread context of 4396 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Tasks\bpdq.job C:\Users\Admin\AppData\Local\Temp\6003.exe N/A
File created C:\Windows\Tasks\bpdq.job C:\Users\Admin\AppData\Local\Temp\6003.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b747dda36be7c0d51dd011728418e184b0dd163c51a53d3fb22e92e596147979.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b747dda36be7c0d51dd011728418e184b0dd163c51a53d3fb22e92e596147979.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b747dda36be7c0d51dd011728418e184b0dd163c51a53d3fb22e92e596147979.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\dccehrc N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\dccehrc N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\dccehrc N/A

Checks processor information in registry

Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Toolbar N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000094555577100054656d7000003a0009000400efbe0c55a789945555772e000000000000000000000000000000000000000000000000002d67a800540065006d007000000014000000 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 C:\Windows\system32\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b747dda36be7c0d51dd011728418e184b0dd163c51a53d3fb22e92e596147979.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b747dda36be7c0d51dd011728418e184b0dd163c51a53d3fb22e92e596147979.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b747dda36be7c0d51dd011728418e184b0dd163c51a53d3fb22e92e596147979.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dccehrc N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 4628 N/A N/A C:\Users\Admin\AppData\Local\Temp\3B82.exe
PID 3020 wrote to memory of 4628 N/A N/A C:\Users\Admin\AppData\Local\Temp\3B82.exe
PID 3020 wrote to memory of 4628 N/A N/A C:\Users\Admin\AppData\Local\Temp\3B82.exe
PID 4628 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\3B82.exe C:\Windows\SysWOW64\rundll32.exe
PID 4628 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\3B82.exe C:\Windows\SysWOW64\rundll32.exe
PID 4628 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\3B82.exe C:\Windows\SysWOW64\rundll32.exe
PID 3020 wrote to memory of 4532 N/A N/A C:\Users\Admin\AppData\Local\Temp\6003.exe
PID 3020 wrote to memory of 4532 N/A N/A C:\Users\Admin\AppData\Local\Temp\6003.exe
PID 3020 wrote to memory of 4532 N/A N/A C:\Users\Admin\AppData\Local\Temp\6003.exe
PID 4308 wrote to memory of 4396 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4308 wrote to memory of 4396 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4308 wrote to memory of 4396 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b747dda36be7c0d51dd011728418e184b0dd163c51a53d3fb22e92e596147979.exe

"C:\Users\Admin\AppData\Local\Temp\b747dda36be7c0d51dd011728418e184b0dd163c51a53d3fb22e92e596147979.exe"

C:\Users\Admin\AppData\Local\Temp\3B82.exe

C:\Users\Admin\AppData\Local\Temp\3B82.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye

C:\Users\Admin\AppData\Local\Temp\6003.exe

C:\Users\Admin\AppData\Local\Temp\6003.exe

C:\ProgramData\qxwnds\bpdq.exe

C:\ProgramData\qxwnds\bpdq.exe start

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14153

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Roaming\dccehrc

C:\Users\Admin\AppData\Roaming\dccehrc

Network

Country Destination Domain Proto
N/A 13.69.109.131:443 tcp
N/A 8.8.8.8:53 dowe.at udp
N/A 91.195.240.101:80 dowe.at tcp
N/A 8.8.8.8:53 xisac.com udp
N/A 187.212.179.75:80 xisac.com tcp
N/A 187.212.179.75:80 xisac.com tcp
N/A 187.212.179.75:80 xisac.com tcp
N/A 187.212.179.75:80 xisac.com tcp
N/A 187.212.179.75:80 xisac.com tcp
N/A 45.141.58.129:80 45.141.58.129 tcp
N/A 187.212.179.75:80 xisac.com tcp
N/A 187.212.179.75:80 xisac.com tcp
N/A 187.212.179.75:80 xisac.com tcp
N/A 187.212.179.75:80 xisac.com tcp
N/A 187.212.179.75:80 xisac.com tcp
N/A 187.212.179.75:80 xisac.com tcp
N/A 8.252.118.126:80 tcp
N/A 187.212.179.75:80 xisac.com tcp
N/A 187.212.179.75:80 xisac.com tcp
N/A 187.212.179.75:80 xisac.com tcp
N/A 187.212.179.75:80 xisac.com tcp
N/A 8.8.8.8:53 bitleague.live udp
N/A 198.38.91.55:443 bitleague.live tcp
N/A 187.212.179.75:80 xisac.com tcp
N/A 23.236.181.126:443 23.236.181.126 tcp
N/A 187.212.179.75:80 xisac.com tcp
N/A 127.0.0.1:14153 tcp
N/A 127.0.0.1:1312 tcp
N/A 109.205.214.18:443 tcp
N/A 23.236.181.126:443 tcp

Files

memory/2496-117-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-118-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-119-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-120-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-121-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-122-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-123-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-124-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-125-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-126-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-127-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-128-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-129-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-130-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-131-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-132-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-133-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-134-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-135-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-136-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-137-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-138-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-140-0x00000000006D6000-0x00000000006E7000-memory.dmp

memory/2496-142-0x0000000000550000-0x0000000000559000-memory.dmp

memory/2496-143-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2496-141-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-139-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-144-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-145-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-146-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-148-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-147-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-149-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-150-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-152-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-151-0x0000000077580000-0x000000007770E000-memory.dmp

memory/2496-153-0x00000000006D6000-0x00000000006E7000-memory.dmp

memory/2496-154-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4628-155-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3B82.exe

MD5 0bcfd64236a383b6eb74c14e7852c06b
SHA1 e30bf2b3338a759c1af139e681beb08b9d20db82
SHA256 39e9581effab24da8eb08d77968c002d4d742dd836ec2a0c8ab6b9879b4892a7
SHA512 bb75de366f834acf8f725ea7dcde4f8a38324166ea13ee6f1aee8b0599d53a194c2140894418ad9c6b169ad91e63188e0db799172daf13bc95d9cb9d3d2a759e

memory/4628-157-0x0000000077580000-0x000000007770E000-memory.dmp

memory/4628-158-0x0000000077580000-0x000000007770E000-memory.dmp

memory/4628-159-0x0000000077580000-0x000000007770E000-memory.dmp

memory/4628-160-0x0000000077580000-0x000000007770E000-memory.dmp

memory/4628-161-0x0000000077580000-0x000000007770E000-memory.dmp

memory/4628-162-0x0000000077580000-0x000000007770E000-memory.dmp

memory/4628-163-0x0000000077580000-0x000000007770E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3B82.exe

MD5 0bcfd64236a383b6eb74c14e7852c06b
SHA1 e30bf2b3338a759c1af139e681beb08b9d20db82
SHA256 39e9581effab24da8eb08d77968c002d4d742dd836ec2a0c8ab6b9879b4892a7
SHA512 bb75de366f834acf8f725ea7dcde4f8a38324166ea13ee6f1aee8b0599d53a194c2140894418ad9c6b169ad91e63188e0db799172daf13bc95d9cb9d3d2a759e

memory/4628-165-0x0000000077580000-0x000000007770E000-memory.dmp

memory/4628-166-0x0000000077580000-0x000000007770E000-memory.dmp

memory/4628-167-0x0000000077580000-0x000000007770E000-memory.dmp

memory/4628-168-0x0000000077580000-0x000000007770E000-memory.dmp

memory/4628-169-0x0000000077580000-0x000000007770E000-memory.dmp

memory/4628-170-0x0000000077580000-0x000000007770E000-memory.dmp

memory/4628-171-0x0000000077580000-0x000000007770E000-memory.dmp

memory/4628-172-0x0000000077580000-0x000000007770E000-memory.dmp

memory/4628-174-0x0000000077580000-0x000000007770E000-memory.dmp

memory/4628-175-0x0000000077580000-0x000000007770E000-memory.dmp

memory/4628-176-0x0000000077580000-0x000000007770E000-memory.dmp

memory/4628-177-0x0000000077580000-0x000000007770E000-memory.dmp

memory/4628-178-0x0000000077580000-0x000000007770E000-memory.dmp

memory/4628-179-0x0000000077580000-0x000000007770E000-memory.dmp

memory/4628-180-0x0000000077580000-0x000000007770E000-memory.dmp

memory/4628-181-0x0000000077580000-0x000000007770E000-memory.dmp

memory/4628-182-0x0000000077580000-0x000000007770E000-memory.dmp

memory/4628-184-0x0000000002160000-0x0000000002256000-memory.dmp

memory/4628-183-0x0000000077580000-0x000000007770E000-memory.dmp

memory/4628-186-0x00000000022C0000-0x00000000023F0000-memory.dmp

memory/4628-187-0x0000000000400000-0x000000000053D000-memory.dmp

memory/4628-185-0x0000000077580000-0x000000007770E000-memory.dmp

memory/4628-189-0x0000000077580000-0x000000007770E000-memory.dmp

memory/4628-190-0x0000000077580000-0x000000007770E000-memory.dmp

memory/4628-191-0x0000000077580000-0x000000007770E000-memory.dmp

memory/4628-192-0x0000000077580000-0x000000007770E000-memory.dmp

memory/4628-188-0x0000000077580000-0x000000007770E000-memory.dmp

memory/4308-203-0x0000000000000000-mapping.dmp

memory/4628-210-0x0000000000400000-0x000000000053D000-memory.dmp

\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

MD5 24925b25552a7d8f1d3292071e545920
SHA1 f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA256 9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512 242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

MD5 24925b25552a7d8f1d3292071e545920
SHA1 f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA256 9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512 242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

C:\Users\Admin\AppData\Local\Temp\6003.exe

MD5 cdc67700f25eaed1417264c4bdec03d3
SHA1 56639e9414e6ee8394d940d62778475ddf071290
SHA256 fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100
SHA512 a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

memory/4532-265-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6003.exe

MD5 cdc67700f25eaed1417264c4bdec03d3
SHA1 56639e9414e6ee8394d940d62778475ddf071290
SHA256 fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100
SHA512 a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

memory/4532-316-0x00000000007E6000-0x00000000007F7000-memory.dmp

memory/4532-318-0x0000000000460000-0x00000000005AA000-memory.dmp

memory/4532-344-0x0000000000400000-0x000000000045F000-memory.dmp

memory/4532-345-0x00000000007E6000-0x00000000007F7000-memory.dmp

memory/4532-346-0x0000000000460000-0x00000000005AA000-memory.dmp

C:\ProgramData\qxwnds\bpdq.exe

MD5 cdc67700f25eaed1417264c4bdec03d3
SHA1 56639e9414e6ee8394d940d62778475ddf071290
SHA256 fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100
SHA512 a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

memory/4308-376-0x0000000007210000-0x0000000007935000-memory.dmp

C:\ProgramData\qxwnds\bpdq.exe

MD5 cdc67700f25eaed1417264c4bdec03d3
SHA1 56639e9414e6ee8394d940d62778475ddf071290
SHA256 fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100
SHA512 a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

memory/4768-396-0x0000000000540000-0x000000000068A000-memory.dmp

memory/4768-398-0x0000000000CF0000-0x0000000000CF9000-memory.dmp

memory/4396-412-0x00007FF6E8325FD0-mapping.dmp

memory/4396-431-0x0000000000EB0000-0x00000000010C9000-memory.dmp

memory/4396-432-0x000002549B310000-0x000002549B53A000-memory.dmp

memory/4768-433-0x0000000000400000-0x000000000045F000-memory.dmp

memory/4308-434-0x0000000007210000-0x0000000007935000-memory.dmp

memory/4768-435-0x0000000000540000-0x000000000068A000-memory.dmp

memory/4768-436-0x0000000000CF0000-0x0000000000CF9000-memory.dmp

memory/4532-438-0x00000000007E6000-0x00000000007F7000-memory.dmp

C:\Users\Admin\AppData\Roaming\dccehrc

MD5 e4de9546e6536c619d39dfd8861bfc0a
SHA1 a7bad7df8d7865638640ba93dd44a08069c28bc6
SHA256 b747dda36be7c0d51dd011728418e184b0dd163c51a53d3fb22e92e596147979
SHA512 3776fb02a698990d16e2f4bc149c86cb5646ea21ba114329c19f68905fb02458bc1d1a7e6f7e6490e316f15576857e361cbd3827d0f2b022b77016eee529b5fe

C:\Users\Admin\AppData\Roaming\dccehrc

MD5 e4de9546e6536c619d39dfd8861bfc0a
SHA1 a7bad7df8d7865638640ba93dd44a08069c28bc6
SHA256 b747dda36be7c0d51dd011728418e184b0dd163c51a53d3fb22e92e596147979
SHA512 3776fb02a698990d16e2f4bc149c86cb5646ea21ba114329c19f68905fb02458bc1d1a7e6f7e6490e316f15576857e361cbd3827d0f2b022b77016eee529b5fe

memory/1112-475-0x0000000000550000-0x000000000069A000-memory.dmp

memory/1112-476-0x0000000000550000-0x000000000069A000-memory.dmp

memory/1112-477-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1112-478-0x0000000000400000-0x000000000045E000-memory.dmp