Malware Analysis Report

2025-05-05 21:45

Sample ID 221220-qphszahe89
Target file.exe
SHA256 5234114873c908014335c999b048382d2f1e68ef3cf98ff14e30e04a269126f7
Tags
danabot smokeloader systembc backdoor banker discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5234114873c908014335c999b048382d2f1e68ef3cf98ff14e30e04a269126f7

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

danabot smokeloader systembc backdoor banker discovery trojan

Danabot

SmokeLoader

Detects Smokeloader packer

SystemBC

Downloads MZ/PE file

Executes dropped EXE

Blocklisted process makes network request

Loads dropped DLL

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-20 13:26

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-12-20 13:26

Reported

2022-12-20 13:28

Platform

win10v2004-20221111-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Danabot

trojan banker danabot

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

SystemBC

trojan systembc

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\F801.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421B.exe N/A
N/A N/A C:\ProgramData\qxqth\gamnfns.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4284 set thread context of 996 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cloud_icon.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_agreement_filetype.svg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\QRCode.pmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.sig C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\create_form.gif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_highcontrast.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-disabled.svg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_super.gif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\logsession.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Onix32.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-focus.svg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_joined.gif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_Full.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Certificates_R.aapp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-default.svg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main.css C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\widevinecdmadapter.dll C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\gamnfns.job C:\Users\Admin\AppData\Local\Temp\421B.exe N/A
File opened for modification C:\Windows\Tasks\gamnfns.job C:\Users\Admin\AppData\Local\Temp\421B.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Toolbar N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000094556073100054656d7000003a0009000400efbe6b55586c945561732e00000000000000000000000000000000000000000000000000aceb1d01540065006d007000000014000000 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2632 wrote to memory of 2804 N/A N/A C:\Users\Admin\AppData\Local\Temp\F801.exe
PID 2632 wrote to memory of 2804 N/A N/A C:\Users\Admin\AppData\Local\Temp\F801.exe
PID 2632 wrote to memory of 2804 N/A N/A C:\Users\Admin\AppData\Local\Temp\F801.exe
PID 2804 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\F801.exe C:\Windows\SysWOW64\rundll32.exe
PID 2804 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\F801.exe C:\Windows\SysWOW64\rundll32.exe
PID 2804 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\F801.exe C:\Windows\SysWOW64\rundll32.exe
PID 2632 wrote to memory of 3920 N/A N/A C:\Users\Admin\AppData\Local\Temp\421B.exe
PID 2632 wrote to memory of 3920 N/A N/A C:\Users\Admin\AppData\Local\Temp\421B.exe
PID 2632 wrote to memory of 3920 N/A N/A C:\Users\Admin\AppData\Local\Temp\421B.exe
PID 4284 wrote to memory of 996 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4284 wrote to memory of 996 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4284 wrote to memory of 996 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\F801.exe

C:\Users\Admin\AppData\Local\Temp\F801.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2804 -ip 2804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 532

C:\Users\Admin\AppData\Local\Temp\421B.exe

C:\Users\Admin\AppData\Local\Temp\421B.exe

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14130

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\ProgramData\qxqth\gamnfns.exe

C:\ProgramData\qxqth\gamnfns.exe start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3920 -ip 3920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 492

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k LocalService

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\3difr.dll",eR5bZlk5VVFa

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 dowe.at udp
N/A 91.195.240.101:80 dowe.at tcp
N/A 8.8.8.8:53 xisac.com udp
N/A 211.119.84.112:80 xisac.com tcp
N/A 211.119.84.112:80 xisac.com tcp
N/A 211.119.84.112:80 xisac.com tcp
N/A 211.119.84.112:80 xisac.com tcp
N/A 211.119.84.112:80 xisac.com tcp
N/A 45.141.58.129:80 45.141.58.129 tcp
N/A 211.119.84.112:80 xisac.com tcp
N/A 211.119.84.112:80 xisac.com tcp
N/A 23.236.181.126:443 23.236.181.126 tcp
N/A 211.119.84.112:80 xisac.com tcp
N/A 211.119.84.112:80 xisac.com tcp
N/A 211.119.84.112:80 xisac.com tcp
N/A 211.119.84.112:80 xisac.com tcp
N/A 20.42.65.84:443 tcp
N/A 211.119.84.112:80 xisac.com tcp
N/A 211.119.84.112:80 xisac.com tcp
N/A 211.119.84.112:80 xisac.com tcp
N/A 211.119.84.112:80 xisac.com tcp
N/A 8.8.8.8:53 bitleague.live udp
N/A 198.38.91.55:443 bitleague.live tcp
N/A 127.0.0.1:14130 tcp
N/A 211.119.84.112:80 xisac.com tcp
N/A 211.119.84.112:80 xisac.com tcp
N/A 127.0.0.1:1312 tcp
N/A 178.79.208.1:80 tcp
N/A 178.79.208.1:80 tcp
N/A 109.205.214.18:443 tcp
N/A 23.236.181.126:443 tcp

Files

memory/4756-132-0x00000000004F9000-0x0000000000509000-memory.dmp

memory/4756-133-0x0000000002190000-0x0000000002199000-memory.dmp

memory/4756-134-0x0000000000400000-0x000000000045F000-memory.dmp

memory/4756-135-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2804-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\F801.exe

MD5 3967f9e696a6bf35357fd4a240c4018e
SHA1 999bf859c09e824863ce2cd5222ef200f18bc95b
SHA256 e1d8c775765a124d8ea8b8281582fbc2b3aec1e943d7a05e8d7459889971303a
SHA512 0cc1f3d64120d9b00389ad45197393fa7fff01da006c3f6624f731e82c268a78dcdc26e13dd26e742984185b3c23c77c072132dc95c9de2696869538837b3103

C:\Users\Admin\AppData\Local\Temp\F801.exe

MD5 3967f9e696a6bf35357fd4a240c4018e
SHA1 999bf859c09e824863ce2cd5222ef200f18bc95b
SHA256 e1d8c775765a124d8ea8b8281582fbc2b3aec1e943d7a05e8d7459889971303a
SHA512 0cc1f3d64120d9b00389ad45197393fa7fff01da006c3f6624f731e82c268a78dcdc26e13dd26e742984185b3c23c77c072132dc95c9de2696869538837b3103

memory/4284-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

MD5 24925b25552a7d8f1d3292071e545920
SHA1 f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA256 9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512 242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

MD5 24925b25552a7d8f1d3292071e545920
SHA1 f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA256 9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512 242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

memory/2804-142-0x00000000021CF000-0x00000000022BD000-memory.dmp

memory/2804-143-0x00000000022C0000-0x00000000023F0000-memory.dmp

memory/2804-144-0x0000000000400000-0x000000000053E000-memory.dmp

memory/4284-145-0x0000000005D70000-0x0000000006495000-memory.dmp

memory/4284-146-0x0000000005D70000-0x0000000006495000-memory.dmp

memory/4284-148-0x0000000004EE0000-0x0000000005020000-memory.dmp

memory/4284-147-0x0000000004EE0000-0x0000000005020000-memory.dmp

memory/3920-149-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\421B.exe

MD5 cdc67700f25eaed1417264c4bdec03d3
SHA1 56639e9414e6ee8394d940d62778475ddf071290
SHA256 fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100
SHA512 a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

C:\Users\Admin\AppData\Local\Temp\421B.exe

MD5 cdc67700f25eaed1417264c4bdec03d3
SHA1 56639e9414e6ee8394d940d62778475ddf071290
SHA256 fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100
SHA512 a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

memory/3920-152-0x0000000000539000-0x000000000054A000-memory.dmp

memory/3920-153-0x00000000004E0000-0x00000000004E9000-memory.dmp

memory/3920-154-0x0000000000400000-0x000000000045F000-memory.dmp

memory/4284-155-0x0000000004EE0000-0x0000000005020000-memory.dmp

memory/4284-156-0x0000000004EE0000-0x0000000005020000-memory.dmp

memory/4284-157-0x0000000004EE0000-0x0000000005020000-memory.dmp

memory/4284-158-0x0000000004EE0000-0x0000000005020000-memory.dmp

memory/996-159-0x00007FF744736890-mapping.dmp

memory/996-160-0x000001D0FF990000-0x000001D0FFAD0000-memory.dmp

memory/996-161-0x000001D0FF990000-0x000001D0FFAD0000-memory.dmp

memory/4284-162-0x0000000004F59000-0x0000000004F5B000-memory.dmp

memory/996-163-0x0000000000100000-0x0000000000319000-memory.dmp

memory/996-164-0x000001D0FF560000-0x000001D0FF78A000-memory.dmp

memory/4284-165-0x0000000005D70000-0x0000000006495000-memory.dmp

C:\ProgramData\qxqth\gamnfns.exe

MD5 cdc67700f25eaed1417264c4bdec03d3
SHA1 56639e9414e6ee8394d940d62778475ddf071290
SHA256 fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100
SHA512 a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

C:\ProgramData\qxqth\gamnfns.exe

MD5 cdc67700f25eaed1417264c4bdec03d3
SHA1 56639e9414e6ee8394d940d62778475ddf071290
SHA256 fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100
SHA512 a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

memory/3920-168-0x0000000000539000-0x000000000054A000-memory.dmp

memory/4508-169-0x00000000004B2000-0x00000000004C3000-memory.dmp

memory/4508-170-0x0000000000400000-0x000000000045F000-memory.dmp

memory/3920-171-0x0000000000400000-0x000000000045F000-memory.dmp

\??\c:\program files (x86)\windowspowershell\modules\3difr.dll

MD5 f974b1983e6fbdd3a284c072d5dd9eb1
SHA1 795f2f80d41d7aa0d07b35b4271a6042f93f66ba
SHA256 6f36f042885a2ce32472b83dcd41b94702e53b0efc5fbbf8c648c974731ed938
SHA512 a0237f7507e3f520fb8a2af70631658b5d5ce88d622009a4ee1e16221188e1d11cf349accb9815e256f949edc61dcad1cbe82146ca7dc867021074ed020a3878

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp

MD5 4f738cde1a0491b140bfab4af53ff5a7
SHA1 a14ed3d4fbc6a44cc1674bdb1c0336edf2095284
SHA256 9b4eb077bc1a8513882b4d7242ff2ee6b68ec537b079257e1cea85b7c12b671f
SHA512 dfb866c900607cabb37f70132b615ab30fc2466bc21c2e0359c81c66b22dfb13661f24898fa3dcb711d3b39b683b8f02c3d8663e03f74cefea8d16de5434a490

C:\Program Files (x86)\WindowsPowerShell\Modules\3difr.dll

MD5 f974b1983e6fbdd3a284c072d5dd9eb1
SHA1 795f2f80d41d7aa0d07b35b4271a6042f93f66ba
SHA256 6f36f042885a2ce32472b83dcd41b94702e53b0efc5fbbf8c648c974731ed938
SHA512 a0237f7507e3f520fb8a2af70631658b5d5ce88d622009a4ee1e16221188e1d11cf349accb9815e256f949edc61dcad1cbe82146ca7dc867021074ed020a3878

memory/3976-175-0x0000000003AB0000-0x00000000041D5000-memory.dmp

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe.xml

MD5 dae188e1f4d8d97d8d65164eb0dda551
SHA1 78b54e226446825c56d15a19a3ed4b587a8842a2
SHA256 5bae5febdf75a2fe0b73791d603c7c9ac5de0d00dffc909b5dbc86bcd6dd15f2
SHA512 941d94c42572abcb937258e99a5d1b520c9f85ce741e81e81e7a299287ae9e8fb763fdc70b661a812c780f4b6997b84c8147791ac56f1510a87966c68ab23b22

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftOutlook2016CAWin64.xml

MD5 4b6a6960b925c7bd5b83d8a4196e24e4
SHA1 f1bb8a50ffb8cce0804db90d2e3ecdbbbe3f460b
SHA256 5f45e2be37f33052a97235462325f5ae32d3713bdaa6eeeea49e92f0e9fc6ed0
SHA512 21f420212c86df357ad83079876d969bab0d089ac506d3dcfb1cfcb134f118a741491454e79538bf5c8d4d2b2ab1fc14d07d0cc3f263874396bd9546bf3b71b1

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\DeploymentConfiguration.xml

MD5 54cec4437128f703c259efb3dc734386
SHA1 9b15ebe33a771a7e12cd966fd8b583da06914015
SHA256 d44d8ffc6e0261e32c4b5c77573a0daa0b4066d4e160c2cd5b5728199f63dfb4
SHA512 c1793acc8f6dc9997fd0261d501ffed200f3c039c9b77e554a031262925878b56727bd84cf5fbeeccb481c1d4511f37e940a8f8436054c8f08adb8e5f46773ea

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\SystemIndex.1.gthr

MD5 965a2a9ee2ded00e2e95a74587e92b01
SHA1 3cb498c851d41846c973cad384d5a00a8a4ace9f
SHA256 5ce6ff5166d4f60940f300391ce63f469bc9d81f9a75299f9d5e4af019d40437
SHA512 185e998ae35d4ae62a500d27f4a98e9154f446842e9898a79cc7c5ac6ec7d05469dc1b8b648ddad60210ece5ec87334c8c2e239de40c2e49a6dd8db3d329430b

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.DesktopAppInstaller_2019.125.2243.0_neutral_~_8wekyb3d8bbwe.xml

MD5 2bc8ee174a90308d275eda81bf42d95e
SHA1 284647d3ee515e4794d1984d2f01989f33121d2d
SHA256 d8bd4c83debd08b1a21d24b3c4a445512ef1931717c01e113fbfc20f47157ea8
SHA512 fe5d552cbfea372817d64c69f22cbf1a02d1b7ef27ef4a0acf68247a2794f58d09b0147ef110a0267bda87c6712ba18dc261a8c9c7e3ed4c1352bb324ed42327

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\edb.jcp

MD5 2367dfc292b40e5d0a9fe8eda3ccf108
SHA1 79d410f12bd34d9546fbcacb3d796d1f33286ce3
SHA256 c5b73b03e8764d923248910bdfb27f28e84fe16973e4d2492dedae01ee921552
SHA512 977ad803262d100a944e789f2dcad9fa1b038808efc39980bf1b56fbc854bfd7e59b97c36c918032057bcfc267751e056b98148c8b91c5fd0fd31ac38ba6ec3e

memory/4200-184-0x0000000000000000-mapping.dmp

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MicrosoftEdgeDevToolsClient_1000.19041.1023.0_neutral_neutral_8wekyb3d8bbwe.xml

MD5 cf0330a44354655f192bc5f1976564e5
SHA1 d993f0dbfdb68552bbf3381d07fb2b26b79e16aa
SHA256 9727e4d3cf3fcc5dcc364cd990f41a4be98d227b0ce975fa97cef0ef8eaa5b78
SHA512 36aeacbb9b0d6ed2a51d23376ab6e583c258c128bf3de0069523441dda98a68a65592792ebd883a7ea8f21768da91c9826a4551cf9e02c01480110941b6e401a

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe.xml

MD5 1944801cae061223e36fcce6aed6bfba
SHA1 b465c53f3e6ae74fac368f36cbfc5842ce085e14
SHA256 b903a7f4408a27d0b7a7c6316d04952508d67058216dffeca4293c9352727959
SHA512 82b0e3b1105a5d802839c3ea78b4e2dd800b819ee678d016b2f47203ceb27a638d195909ec1d0efbf46edbf910409d7ab4a05146fc902ef335b36bf14339498f

C:\Program Files (x86)\WindowsPowerShell\Modules\3difr.dll

MD5 f974b1983e6fbdd3a284c072d5dd9eb1
SHA1 795f2f80d41d7aa0d07b35b4271a6042f93f66ba
SHA256 6f36f042885a2ce32472b83dcd41b94702e53b0efc5fbbf8c648c974731ed938
SHA512 a0237f7507e3f520fb8a2af70631658b5d5ce88d622009a4ee1e16221188e1d11cf349accb9815e256f949edc61dcad1cbe82146ca7dc867021074ed020a3878

C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp

MD5 7d93fedf6fe60db2b1286f5726e7fc73
SHA1 39243f074cec5d3251dbf32275feb8b2a0359f49
SHA256 47e7ca8b11a520a080c26d2d8d4368937711ce8203ab7cf176df5260175379ee
SHA512 f173e010fb97a7deda30f9150e180eb4583bc03d31ee8e8710fd406f47c6e14879ee5776c29fff55a92dcb50a26844d98b9f7e232e9680ae8151cd4475b8b86c

memory/3976-187-0x0000000003AB0000-0x00000000041D5000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-20 13:26

Reported

2022-12-20 13:28

Platform

win7-20220812-en

Max time kernel

150s

Max time network

47s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Network

N/A

Files

memory/1372-54-0x0000000075921000-0x0000000075923000-memory.dmp

memory/1372-56-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1372-55-0x00000000008DB000-0x00000000008EC000-memory.dmp

memory/1372-57-0x0000000000400000-0x000000000045F000-memory.dmp

memory/1372-58-0x0000000000400000-0x000000000045F000-memory.dmp