{
	"id": "0026aa1e-35f2-40e3-9e67-628ef1c8c7dd",
	"created_at": "2026-04-06T00:06:19.541176Z",
	"updated_at": "2026-04-10T13:12:29.36991Z",
	"deleted_at": null,
	"sha1_hash": "3c66e2b9d9a8efbabd3c9e75866164330efb0fe8",
	"title": "Malware Analysis and Deobfuscation With Procmon - Smokeloader Example",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1722563,
	"plain_text": "Malware Analysis and Deobfuscation With Procmon -\r\nSmokeloader Example\r\nBy Matthew\r\nPublished: 2023-06-24 · Archived: 2026-04-05 15:34:22 UTC\r\nThis post will show you how to manually decode a SmokeLoader visual basic (.vbs) script using Procmon. From\r\nhere you will see how to retrieve additional stages using Powershell and identify a malware sample using sandbox\r\ntooling.\r\nThe initial file can be downloaded from malware bazaar and unzipped using the password infected .\r\nSHA256:375798f97452cb9143ffb08922bebb13eb6bb0c27a101ebc568a3e5295361936\r\nInitial Analysis\r\nThe initial file after unzipping is a visual basic .vbs script.\r\nAn additional copy 375.vbs was made in order to preserve the original and work with a simpler filename.\r\nSince visual basic is a text-based language, the file can be opened using a text editor.\r\nThis blog will utilise sublime text, but visual code, notepad++, or any other text editor will work equally well.\r\n(Any text editor with language highlighting and find/replace with regex support)\r\nThe script is \"only\" 10 lines long and primarily consists of a large blob of decimal values (line 1), a large blob of\r\ntext (line 3).\r\nhttps://embee-research.ghost.io/smokeloader-analysis-with-procmon/\r\nPage 1 of 12\n\nThe remainder of the surrounding code is used to decode the decimal and text blob.\r\nDecoding Malware with Process Monitor (Procmon)\r\nThis is by far the simplest method for decoding script-based malware. This method involves executing the script\r\ninside of a safe virtual machine and simultaneously running the \"Process Monitor\" tool from Sysinternals.\r\nThis method will capture any new processes spawned by the obfuscated script, revealing any decoded command\r\nline arguments that were used to spawn the new process. This bypasses a lot of the obfuscation that may be\r\npresent in an original encoded script.\r\nThere are downsides to this method as it assumes that a new process will be spawned, but it is the easiest method\r\nand is a great skill to have.\r\nIf you are using flare-vm, you will already have Procmon installed. If not, you can obtain it from the following\r\nlink.\r\nHow to monitor the malware with ProcMon\r\nTo \"decode\" the malware using Procmon, you must first start the Procmon process and perform a few basic\r\nactions.\r\nThese basic actions are needed to focus on only the events related to the malware.\r\nSince Procmon can capture hundreds of thousands of events per second, this can quickly eat up memory, so you\r\nwant to make sure to capture the right events.\r\n1. Locate and open the Procmon process\r\n2. Stop Capture (CTRL+E), or manually deselect the capture button.\r\n3. Clear the window (CTRL+X)\r\n4. Set a filter on WScript.exe - (CTRL+L)\r\n5. Turn on capture and run the malware.\r\nHere we can see the initial screen when Procmon is first opened. Within seconds, 63,014 total events are captured.\r\nWe want to stop this as soon as possible.\r\nThe stop capture can be done with CTRL+E or by manually de-selecting the capture button.\r\nhttps://embee-research.ghost.io/smokeloader-analysis-with-procmon/\r\nPage 2 of 12\n\nOpening procmon and stopping capture\r\nOnce the capture has been stopped, the already captured events will need to be cleared from the screen.\r\nThe captured events can be cleared with CTRL+X or by hitting the trash can button. This creates a clean screen\r\nfor easy future analysis.\r\nWith the window now cleared, a new filter can be created with CTRL+L or by hitting the filter button. This will\r\nallow us to \"hone in\" on only wscript.exe, which is the process responsible for running .vbs scripts.\r\nhttps://embee-research.ghost.io/smokeloader-analysis-with-procmon/\r\nPage 3 of 12\n\nA new process filter for wscript.exe can now be created. Ensuring to press \"add\" to save the new filter.\r\nThis will result in a new filter entry for wscript.exe .\r\nhttps://embee-research.ghost.io/smokeloader-analysis-with-procmon/\r\nPage 4 of 12\n\nAt this stage, the event capture can be re-started. This will begin capturing all events related to wscript.exe\r\nNow that the capture is ready, it's time to run the original malware script.\r\nThis is as simple as double clicking on the original .vbs file. Windows will run the script using wscript.exe by\r\ndefault.\r\nhttps://embee-research.ghost.io/smokeloader-analysis-with-procmon/\r\nPage 5 of 12\n\nWith the filters correctly set, the events will now be captured using Procmon.\r\nAt first glance this is a lot (9297 events in just a few seconds) but we will soon filter down to a manageable\r\nnumber.\r\nThe primary focus here is to identify if any new processes were spawned during the execution of the\r\nscript. If a new process has been launched, we want to observe any arguments that have been passed\r\nand see if this reveals the functionality of the malware or at least brings us closer to something that\r\nallows us to determine what it does.\r\nIdentifying Spawned Processes Using Procmon\r\nThe process tree is the best way to identify newly spawned processes. This can be accessed by pressing CTRL+T\r\nor browsing the Procmon menu Tools -\u003e Process Tree .\r\nThis will reveal a window similar to below. The top half has been covered to improve readability.\r\nhttps://embee-research.ghost.io/smokeloader-analysis-with-procmon/\r\nPage 6 of 12\n\nIn the screenshot above - We can see that WScript.exe has ultimately spawned 3 new processes. Cmd.exe,\r\nConhost.exe and powershell.exe.\r\nBy honing in on the right-most column titled command , you can observe the decoded commands that were used to\r\nspawn each process.\r\nIn the cmd.exe command - You can see that cmd.exe was used to spawn Powershell via the /c argument. The\r\ncmd.exe serves no malicious purpose, it serves only to spawn the Powershell.\r\nThe /c argument will cause the powershell process to terminate after it has finished. This avoids a\r\npowershell terminal hanging around on the screen if powershell was launched directly.\r\nDetection related tangent\r\nThe usage of cmd.exe also introduces the process relationship of WScript.exe -\u003e cmd.exe -\u003e\r\npowershell.exe . This may hinder detection in some SIEM tooling that do not capture grandparent\r\nprocesses.\r\nEg Wscript.exe -\u003e powershell is not common and would make a simple and reliable detection.\r\nCmd.exe -\u003e powershell.exe and wscript.exe -\u003e cmd.exe are both very common and would require\r\ntuning and additional filtering for reliable detection.\r\nhttps://embee-research.ghost.io/smokeloader-analysis-with-procmon/\r\nPage 7 of 12\n\nReturning back to the Procmon output. The final command can be easily observed by clicking on the line\r\ncontaining PowerShell.\r\nThe content has not been fully de-obfuscated yet. But we now have a powershell command with a seemingly\r\nsimple base64. This is much better than the initial obfuscated .vbs script.\r\nTo obtain the full contents, you can highlight the command window and hit CTRL+C .\r\nPasting back into a text-editor, the semi-decoded powershell command can be observed.\r\nThe final decoded component is easily obtained using CyberChef and From Base64 . Remember to add \"Remove\r\nNull Bytes\" if you observe any dots or weird red lines. This is due to the utf-16 encoding common in windows.\r\nhttps://embee-research.ghost.io/smokeloader-analysis-with-procmon/\r\nPage 8 of 12\n\nWe can now observe a decoded command that downloads a string from americanocoffea[.]ru . The resulting\r\nstring is then executed using Invoke-Expression (IEX). Since the decoded string is executed within Powershell, it\r\nis likely another Powershell script.\r\nDomain Analysis\r\nThe domain americanocoffea[.]ru had 11/87 detections at the time of writing 2023/05/23 . There was no\r\ninformation available on VirusTotal to determine which malware was being downloaded.\r\nA malicious domain has now been identified and can be used as an IOC. However, there is no information on the\r\nmalware that may be downloaded.\r\nRetrieving a Malware Payload with Powershell\r\nIf the malware infection and script are recent enough, then the next stage can be obtained directly from the\r\nmalicious server using Powershell.\r\nThe simplest way to do this is to use Powershell invoke-webrequest (iwr) from within a safe virtual machine\r\n(and ideally behind a VPN).\r\nIf you require additional anonymity from attacker infrastructure, there are also tools such as grabbrapp\r\nfor safely probing infrastructure and obtaining malware payloads.\r\nIn an ideal situation such as this one, PowerShell works just fine. The sample can be obtained by running the\r\nfollowing command.\r\npowershell.exe -iwr http://americanocoffea[.]ru -outfile output.txt\r\nhttps://embee-research.ghost.io/smokeloader-analysis-with-procmon/\r\nPage 9 of 12\n\nIn the output (blue) of the screenshot above, we can see the downloaded content is another small Powershell\r\nscript. This script retrieves and executes an executable file qScTdMN.exe and writes it to the user's temp directory\r\n$env:temp .\r\nhttp://americanocoffea[.]ru/antirecord/trust[.]exe\r\nThis full URL and exe name would both make for good indicators in an IR situation. The use of randomly named\r\n.exe files in the user temp directory may also be a good indicator.\r\nThe next .exe can be retrieved using the same technique with iwr . Retrieving this additional file can be useful\r\nto obtain a full hash and binary information. In particular, you would now have a working sample that you can\r\nprovide to a sandbox tool, malware analyst or any other tooling for the analysis of malware.\r\nBelow is a simple iwr command to download the next stage containing the .exe file.\r\nChecking the file hash on VirusTotal. There are 37/71 detections.\r\nIn many cases, you do not need (and may not be allowed) to submit the file to Virustotal. In this situation you can\r\nobtain a file hash (using detect-it-easy, pestudio etc) and submit the hash to see if it has previously been analysed.\r\nIn this case, the file hash was already known to Virustotal.\r\nhttps://embee-research.ghost.io/smokeloader-analysis-with-procmon/\r\nPage 10 of 12\n\nReviewing the comments reveals multiple references to SmokeLoader.\r\nOne of the links above is to a Triage analysis. With a confident 10/10 verdict of SmokeLoader for an identical\r\nfile.\r\nAt this point, I would be confident to label the malware sample and incident as Smokeloader.\r\nConclusion\r\nThe malware has now been decoded and identified as Smokeloader. A domain and full URL have now been\r\nobtained, as well as an exe hash and confident verdict of the malware family.\r\nSign up for Embee Research\r\nMalware Analysis and Threat Intelligence Research\r\nhttps://embee-research.ghost.io/smokeloader-analysis-with-procmon/\r\nPage 11 of 12\n\nNo spam. Unsubscribe anytime.\r\nSource: https://embee-research.ghost.io/smokeloader-analysis-with-procmon/\r\nhttps://embee-research.ghost.io/smokeloader-analysis-with-procmon/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://embee-research.ghost.io/smokeloader-analysis-with-procmon/"
	],
	"report_names": [
		"smokeloader-analysis-with-procmon"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433979,
	"ts_updated_at": 1775826749,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3c66e2b9d9a8efbabd3c9e75866164330efb0fe8.pdf",
		"text": "https://archive.orkl.eu/3c66e2b9d9a8efbabd3c9e75866164330efb0fe8.txt",
		"img": "https://archive.orkl.eu/3c66e2b9d9a8efbabd3c9e75866164330efb0fe8.jpg"
	}
}