Malware Analysis Report

2025-05-05 21:45

Sample ID 221220-qh43macg21
Target 5234114873c908014335c999b048382d2f1e68ef3cf98ff14e30e04a269126f7
SHA256 5234114873c908014335c999b048382d2f1e68ef3cf98ff14e30e04a269126f7
Tags
danabot smokeloader systembc backdoor banker persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5234114873c908014335c999b048382d2f1e68ef3cf98ff14e30e04a269126f7

Threat Level: Known bad

The file 5234114873c908014335c999b048382d2f1e68ef3cf98ff14e30e04a269126f7 was found to be: Known bad.

Malicious Activity Summary

danabot smokeloader systembc backdoor banker persistence trojan

SmokeLoader

SystemBC

Danabot

Detects Smokeloader packer

Sets service image path in registry

Sets DLL path for service in the registry

Executes dropped EXE

Blocklisted process makes network request

Downloads MZ/PE file

Loads dropped DLL

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-20 13:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-20 13:16

Reported

2022-12-20 13:19

Platform

win10v2004-20221111-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5234114873c908014335c999b048382d2f1e68ef3cf98ff14e30e04a269126f7.exe"

Signatures

Danabot

trojan banker danabot

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

SystemBC

trojan systembc

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\E4F6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2D79.exe N/A
N/A N/A C:\ProgramData\fjgceb\lsknjp.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aic_file_icons_retina_thumb_highContrast_bow\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\aic_file_icons_retina_thumb_highContrast_bow.dll" C:\Windows\SysWOW64\rundll32.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aic_file_icons_retina_thumb_highContrast_bow\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalServiceԀ" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aic_file_icons_retina_thumb_highContrast_bow\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalServiceᴀ" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aic_file_icons_retina_thumb_highContrast_bow\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService␀" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aic_file_icons_retina_thumb_highContrast_bow\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService愀" C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 444 set thread context of 1936 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Search.api C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\manifest.json C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\base_uris.js C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\manifest.json C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef.pak C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\acrobat_pdf.svg C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\create_form.gif C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\AdobePDF417.pmp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Search.api C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\create_form.gif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_Full.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\base_uris.js C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\CPDF_Full.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_retina_thumb_highContrast_bow.dll C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\lsknjp.job C:\Users\Admin\AppData\Local\Temp\2D79.exe N/A
File opened for modification C:\Windows\Tasks\lsknjp.job C:\Users\Admin\AppData\Local\Temp\2D79.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\E4F6.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5234114873c908014335c999b048382d2f1e68ef3cf98ff14e30e04a269126f7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5234114873c908014335c999b048382d2f1e68ef3cf98ff14e30e04a269126f7.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5234114873c908014335c999b048382d2f1e68ef3cf98ff14e30e04a269126f7.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Toolbar N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000094553172100054656d7000003a0009000400efbe6b55586c945532722e00000000000000000000000000000000000000000000000000633cc300540065006d007000000014000000 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5234114873c908014335c999b048382d2f1e68ef3cf98ff14e30e04a269126f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5234114873c908014335c999b048382d2f1e68ef3cf98ff14e30e04a269126f7.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5234114873c908014335c999b048382d2f1e68ef3cf98ff14e30e04a269126f7.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 752 wrote to memory of 4908 N/A N/A C:\Users\Admin\AppData\Local\Temp\E4F6.exe
PID 752 wrote to memory of 4908 N/A N/A C:\Users\Admin\AppData\Local\Temp\E4F6.exe
PID 752 wrote to memory of 4908 N/A N/A C:\Users\Admin\AppData\Local\Temp\E4F6.exe
PID 4908 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\E4F6.exe C:\Windows\SysWOW64\rundll32.exe
PID 4908 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\E4F6.exe C:\Windows\SysWOW64\rundll32.exe
PID 4908 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\E4F6.exe C:\Windows\SysWOW64\rundll32.exe
PID 752 wrote to memory of 3808 N/A N/A C:\Users\Admin\AppData\Local\Temp\2D79.exe
PID 752 wrote to memory of 3808 N/A N/A C:\Users\Admin\AppData\Local\Temp\2D79.exe
PID 752 wrote to memory of 3808 N/A N/A C:\Users\Admin\AppData\Local\Temp\2D79.exe
PID 444 wrote to memory of 1936 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 444 wrote to memory of 1936 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 444 wrote to memory of 1936 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5234114873c908014335c999b048382d2f1e68ef3cf98ff14e30e04a269126f7.exe

"C:\Users\Admin\AppData\Local\Temp\5234114873c908014335c999b048382d2f1e68ef3cf98ff14e30e04a269126f7.exe"

C:\Users\Admin\AppData\Local\Temp\E4F6.exe

C:\Users\Admin\AppData\Local\Temp\E4F6.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4908 -ip 4908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 536

C:\Users\Admin\AppData\Local\Temp\2D79.exe

C:\Users\Admin\AppData\Local\Temp\2D79.exe

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14130

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\ProgramData\fjgceb\lsknjp.exe

C:\ProgramData\fjgceb\lsknjp.exe start

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k LocalService

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\aic_file_icons_retina_thumb_highcontrast_bow.dll",TxY5V0Ixcko=

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 dowe.at udp
N/A 91.195.240.101:80 dowe.at tcp
N/A 8.8.8.8:53 xisac.com udp
N/A 211.171.233.126:80 xisac.com tcp
N/A 211.171.233.126:80 xisac.com tcp
N/A 93.184.221.240:80 tcp
N/A 211.171.233.126:80 xisac.com tcp
N/A 211.171.233.126:80 xisac.com tcp
N/A 211.171.233.126:80 xisac.com tcp
N/A 45.141.58.129:80 45.141.58.129 tcp
N/A 211.171.233.126:80 xisac.com tcp
N/A 211.171.233.126:80 xisac.com tcp
N/A 23.236.181.126:443 23.236.181.126 tcp
N/A 211.171.233.126:80 xisac.com tcp
N/A 211.171.233.126:80 xisac.com tcp
N/A 211.171.233.126:80 xisac.com tcp
N/A 211.171.233.126:80 xisac.com tcp
N/A 20.42.72.131:443 tcp
N/A 211.171.233.126:80 xisac.com tcp
N/A 211.171.233.126:80 xisac.com tcp
N/A 211.171.233.126:80 xisac.com tcp
N/A 211.171.233.126:80 xisac.com tcp
N/A 8.8.8.8:53 bitleague.live udp
N/A 198.38.91.55:443 bitleague.live tcp
N/A 211.171.233.126:80 xisac.com tcp
N/A 127.0.0.1:14130 tcp
N/A 211.171.233.126:80 xisac.com tcp
N/A 127.0.0.1:1312 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 109.205.214.18:443 tcp
N/A 104.80.225.205:443 tcp
N/A 23.236.181.126:443 tcp
N/A 127.0.0.1:14130 tcp

Files

memory/4188-132-0x0000000000788000-0x0000000000799000-memory.dmp

memory/4188-133-0x00000000006F0000-0x00000000006F9000-memory.dmp

memory/4188-134-0x0000000000400000-0x000000000045F000-memory.dmp

memory/4188-135-0x0000000000400000-0x000000000045F000-memory.dmp

memory/4908-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\E4F6.exe

MD5 11bccba197c0008c8d2635448a14541b
SHA1 3d7792942e6900117547d03d6ccbeac3852e1f45
SHA256 f6e7473ec1d725f3f0b05f071f26355d86a480a29f6044f5dfe3210977f286aa
SHA512 5f7f0457c7b3d21322db66af1038187d91b3a300b6caa72dc2f3562c0c09dd0de67af6ce974b1c8471a03fed30936d026ac1ea4e253c9a16205edd603b936a8e

C:\Users\Admin\AppData\Local\Temp\E4F6.exe

MD5 11bccba197c0008c8d2635448a14541b
SHA1 3d7792942e6900117547d03d6ccbeac3852e1f45
SHA256 f6e7473ec1d725f3f0b05f071f26355d86a480a29f6044f5dfe3210977f286aa
SHA512 5f7f0457c7b3d21322db66af1038187d91b3a300b6caa72dc2f3562c0c09dd0de67af6ce974b1c8471a03fed30936d026ac1ea4e253c9a16205edd603b936a8e

memory/444-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

MD5 24925b25552a7d8f1d3292071e545920
SHA1 f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA256 9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512 242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

MD5 24925b25552a7d8f1d3292071e545920
SHA1 f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA256 9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512 242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

memory/4908-142-0x000000000220E000-0x00000000022FD000-memory.dmp

memory/4908-143-0x0000000002300000-0x0000000002430000-memory.dmp

memory/4908-144-0x0000000000400000-0x000000000053E000-memory.dmp

memory/444-145-0x0000000004CB0000-0x00000000053D5000-memory.dmp

memory/444-146-0x0000000004CB0000-0x00000000053D5000-memory.dmp

memory/444-147-0x0000000005530000-0x0000000005670000-memory.dmp

memory/444-149-0x0000000005530000-0x0000000005670000-memory.dmp

memory/3808-148-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2D79.exe

MD5 cdc67700f25eaed1417264c4bdec03d3
SHA1 56639e9414e6ee8394d940d62778475ddf071290
SHA256 fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100
SHA512 a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

C:\Users\Admin\AppData\Local\Temp\2D79.exe

MD5 cdc67700f25eaed1417264c4bdec03d3
SHA1 56639e9414e6ee8394d940d62778475ddf071290
SHA256 fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100
SHA512 a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

memory/3808-152-0x00000000005B9000-0x00000000005CA000-memory.dmp

memory/3808-153-0x0000000000490000-0x0000000000499000-memory.dmp

memory/3808-154-0x0000000000400000-0x000000000045F000-memory.dmp

memory/444-155-0x0000000005530000-0x0000000005670000-memory.dmp

memory/444-156-0x0000000005530000-0x0000000005670000-memory.dmp

memory/444-157-0x0000000005530000-0x0000000005670000-memory.dmp

memory/1936-159-0x00007FF7BF526890-mapping.dmp

memory/444-158-0x0000000005530000-0x0000000005670000-memory.dmp

memory/1936-160-0x0000020895300000-0x0000020895440000-memory.dmp

memory/1936-161-0x0000020895300000-0x0000020895440000-memory.dmp

memory/444-162-0x00000000055A9000-0x00000000055AB000-memory.dmp

memory/1936-163-0x0000000000630000-0x0000000000849000-memory.dmp

memory/1936-164-0x0000020893AC0000-0x0000020893CEA000-memory.dmp

memory/444-165-0x0000000004CB0000-0x00000000053D5000-memory.dmp

C:\ProgramData\fjgceb\lsknjp.exe

MD5 cdc67700f25eaed1417264c4bdec03d3
SHA1 56639e9414e6ee8394d940d62778475ddf071290
SHA256 fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100
SHA512 a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

C:\ProgramData\fjgceb\lsknjp.exe

MD5 cdc67700f25eaed1417264c4bdec03d3
SHA1 56639e9414e6ee8394d940d62778475ddf071290
SHA256 fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100
SHA512 a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

memory/3808-168-0x00000000005B9000-0x00000000005CA000-memory.dmp

memory/1416-169-0x0000000000713000-0x0000000000723000-memory.dmp

memory/1416-170-0x0000000000400000-0x000000000045F000-memory.dmp

memory/3808-171-0x00000000005B9000-0x00000000005CA000-memory.dmp

memory/3808-172-0x0000000000400000-0x000000000045F000-memory.dmp

\??\c:\program files (x86)\windowspowershell\modules\aic_file_icons_retina_thumb_highcontrast_bow.dll

MD5 f66bed060034ad85e2d3d7606d8f33a4
SHA1 58ecaa5ea7b54c0874dd5159cc6c85898be971f8
SHA256 435f7a015f01caacf5e1021d800ef8a49f687d85989c7421fa3e205bc1931f4e
SHA512 8d2917a6fb0330a3bac4fe299185e6c545d79053ee93691e7e7f22829dd9a8ac68253df4ed8873d648e087826dde4dd8d3e90071b391f7db371dadb81f19709e

C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_retina_thumb_highContrast_bow.dll

MD5 f66bed060034ad85e2d3d7606d8f33a4
SHA1 58ecaa5ea7b54c0874dd5159cc6c85898be971f8
SHA256 435f7a015f01caacf5e1021d800ef8a49f687d85989c7421fa3e205bc1931f4e
SHA512 8d2917a6fb0330a3bac4fe299185e6c545d79053ee93691e7e7f22829dd9a8ac68253df4ed8873d648e087826dde4dd8d3e90071b391f7db371dadb81f19709e

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp

MD5 2e4e5bfd0d757cc9bef8fe8703168e7f
SHA1 21770102e794c82092e4e82bfedd50a5088bb215
SHA256 8f1c319ec2a27577699582f741f2b43bd711aa84d45e00641941a64679c64ead
SHA512 8dcbdf8cf55b485c26bfdd9a2e33b0e7bc376396abc959892a14425336fa7b77f3472a6ecf1bbac4e45487aa62144a949c1869d5235bca5bb649ba04746eac61

memory/1464-176-0x0000000003D60000-0x0000000004485000-memory.dmp

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\1527c705-839a-4832-9118-54d4Bd6a0c89_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy.xml

MD5 d2d725a3c34b3597b164a038ec06085a
SHA1 52eb2334afeccafd46b205de0d2c7306cb7b7c8d
SHA256 01bc9a89105cebd77ff81b814f794a71cbccf40f4d3e663758e63e202f5e1f00
SHA512 6f23fc81a4a5308966892ef880048ff079aec5968af5d6fcc0315c05533d597865b0572d18e0368da4ff85c9136b87a4cb9e878bc28738a18025d576b5a3f306

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe.xml

MD5 8a33c96712ba9c043f7a07d4c437a3fd
SHA1 dbd78a66c461017ee26a751925f9cecdea2590da
SHA256 eb8b0de59dd2efc380f7081af8975f37a83ee72c9c06ef25873f63d224adea1e
SHA512 7b9a15d219e4a5cd9146f8e7ae1d7c3b6f843ed060edf52e4928e349edd821a2d527f8f8402f774559f6cf282c83b751f02d2feaf9e040771c07bc4038a59e5a

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\edb.chk

MD5 21340b30b50bf39023c82c3f5f7e2191
SHA1 be30fd0676ee73ad765b60a8260b16fbb5aee75b
SHA256 44b356799549f16cb20a4bdd111b599c48d8f0ee05441e2a12999fa0e45a9ec4
SHA512 4b75fd293d2c659503d59045d5953c1d75d559775effc5babe0d358b15c1805cc4e6709940a647128da2cfbf191d8abee7c0f643b38858a80d6adcb7e66ffcaf

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\user.png

MD5 d7ee4543371744836d520e0ce24a9ee6
SHA1 a6cda6aac3e480b269b9da2bd616bdb4d6fa87f0
SHA256 98817a572430813ca4ca2787dab20573f7864c5168ac6912f34d14b49e7bd7c9
SHA512 e15b6a50d9d498918a81488bf8d60860027f9a38f4d87e239f1c6e9d20fe4938e75861dad35c69e4087370c18b2cd5b482ab6ca694dfe205d053f1d303d17808

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\EventStore.db

MD5 df1f91f22250f52a1445cdcbf265d1a6
SHA1 e7d220ec4c084da76d797efac809f3c03b190706
SHA256 a60ec6a0c045b7bdafd193c4d03b57f6f0740bce1c082ed79496a8910679ae4b
SHA512 236da8bf2becf5f3c265bb07c32c019dee22882108176487d7ca1e03ef0dd3a147223be1514dd4d395aabf7d0777a35cf2e16d2e58a84787a393c098e64e5319

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\ringtones.ico

MD5 8b30e7cbd25f178baac418e9b507b61e
SHA1 73c93d967571bb88b1bdf33477e7a5f758fc18e9
SHA256 0afa2eb896ffe20c5244dd191be791231c8b5b71eff200e75a3150a8e3296f30
SHA512 6b0ff7ff67cbb4c8611696273ee16fc5d57b53ea7869e0c97686583d7875faa65f04d7678017628a11420000f8bb869f6dca5fcbefb53b1824443fa73544944d

memory/664-183-0x0000000000000000-mapping.dmp