Malware Analysis Report

2025-08-10 19:20

Sample ID 220616-lmp22sfgc5
Target 7090e8e96194c00e896c6045572bbed8
SHA256 9b7a45f3ebfcd982ebb3611691539a2dc36d723f8e120f0d265512b6073bde61
Tags
xloader no9u loader rat suricata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b7a45f3ebfcd982ebb3611691539a2dc36d723f8e120f0d265512b6073bde61

Threat Level: Known bad

The file 7090e8e96194c00e896c6045572bbed8 was found to be: Known bad.

Malicious Activity Summary

xloader no9u loader rat suricata

suricata: ET MALWARE FormBook CnC Checkin (GET)

Xloader

Xloader Payload

Deletes itself

Suspicious use of SetThreadContext

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-06-16 09:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-16 09:39

Reported

2022-06-16 09:42

Platform

win7-20220414-en

Max time kernel

150s

Max time network

163s

Command Line

C:\Windows\Explorer.EXE

Signatures

Xloader

loader xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata

Xloader Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wlanext.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1368 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
PID 1368 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
PID 1368 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
PID 1368 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
PID 1368 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
PID 1368 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
PID 1368 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
PID 1368 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
PID 1368 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
PID 1368 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
PID 1368 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
PID 1368 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
PID 1368 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
PID 1368 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
PID 1368 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
PID 1368 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
PID 1368 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
PID 1368 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
PID 1368 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
PID 1308 wrote to memory of 112 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wlanext.exe
PID 1308 wrote to memory of 112 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wlanext.exe
PID 1308 wrote to memory of 112 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wlanext.exe
PID 1308 wrote to memory of 112 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wlanext.exe
PID 112 wrote to memory of 592 N/A C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 592 N/A C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 592 N/A C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\cmd.exe
PID 112 wrote to memory of 592 N/A C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"

C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"

C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"

C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"

C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"

C:\Windows\SysWOW64\wlanext.exe

"C:\Windows\SysWOW64\wlanext.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.izopop.com udp
CA 23.227.38.74:80 www.izopop.com tcp
US 8.8.8.8:53 www.reiswaarvoor.com udp
US 8.8.8.8:53 www.agencesarahm.com udp
NL 142.250.179.147:80 www.agencesarahm.com tcp
US 8.8.8.8:53 www.woodshiremhc.com udp
US 74.115.45.120:80 www.woodshiremhc.com tcp
US 8.8.8.8:53 www.phoenixautonomousdrills.com udp
US 34.102.136.180:80 www.phoenixautonomousdrills.com tcp
US 8.8.8.8:53 www.foxfyr.com udp
US 23.81.144.134:80 www.foxfyr.com tcp
US 8.8.8.8:53 www.renkliavm.com udp
TR 94.199.206.56:80 www.renkliavm.com tcp
US 8.8.8.8:53 www.shannonmeissner.com udp

Files

memory/1368-54-0x0000000000210000-0x0000000000282000-memory.dmp

memory/1368-55-0x0000000076171000-0x0000000076173000-memory.dmp

memory/1368-56-0x0000000001CF0000-0x0000000001CFA000-memory.dmp

memory/1368-57-0x0000000005120000-0x0000000005186000-memory.dmp

memory/1368-58-0x0000000004670000-0x00000000046A0000-memory.dmp

memory/1524-59-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1524-60-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1524-62-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1524-63-0x000000000041D430-mapping.dmp

memory/1524-65-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1524-66-0x0000000000AE0000-0x0000000000DE3000-memory.dmp

memory/1308-68-0x0000000007390000-0x00000000074FD000-memory.dmp

memory/1524-67-0x0000000000180000-0x0000000000191000-memory.dmp

memory/112-69-0x0000000000000000-mapping.dmp

memory/592-70-0x0000000000000000-mapping.dmp

memory/112-71-0x0000000000360000-0x0000000000376000-memory.dmp

memory/112-72-0x0000000000080000-0x00000000000A9000-memory.dmp

memory/112-73-0x0000000002160000-0x0000000002463000-memory.dmp

memory/112-74-0x00000000003C0000-0x0000000000450000-memory.dmp

memory/1308-75-0x0000000007500000-0x0000000007632000-memory.dmp

memory/112-76-0x0000000000080000-0x00000000000A9000-memory.dmp

memory/1308-77-0x0000000007500000-0x0000000007632000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-16 09:39

Reported

2022-06-16 09:42

Platform

win10v2004-20220414-en

Max time kernel

160s

Max time network

170s

Command Line

C:\Windows\Explorer.EXE

Signatures

Xloader

loader xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata

Xloader Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5032 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
PID 5032 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
PID 5032 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
PID 5032 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
PID 5032 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
PID 5032 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
PID 5032 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
PID 5032 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
PID 5032 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
PID 1092 wrote to memory of 3968 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmd.exe
PID 1092 wrote to memory of 3968 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmd.exe
PID 1092 wrote to memory of 3968 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmd.exe
PID 3968 wrote to memory of 1076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3968 wrote to memory of 1076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3968 wrote to memory of 1076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"

C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"

C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\SysWOW64\cmd.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"

Network

Country Destination Domain Proto
NL 104.109.143.9:80 tcp
US 93.184.220.29:80 tcp
US 13.89.179.8:443 tcp
US 8.238.111.254:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 www.woodshiremhc.com udp
US 74.115.45.120:80 www.woodshiremhc.com tcp
US 8.8.8.8:53 www.zsdazyy.com udp
HK 156.232.154.162:80 www.zsdazyy.com tcp
US 8.8.8.8:53 www.oqpqqa.space udp
US 8.8.8.8:53 www.good-peruseytoperusetoday.info udp
US 52.200.164.252:80 www.good-peruseytoperusetoday.info tcp
US 8.8.8.8:53 www.whatcrawfish.com udp
US 199.59.243.220:80 www.whatcrawfish.com tcp
US 8.8.8.8:53 www.plushora.com udp
CA 23.227.38.74:80 www.plushora.com tcp
US 8.8.8.8:53 www.darkperseus.net udp
US 198.54.117.215:80 www.darkperseus.net tcp
US 8.8.8.8:53 www.timestablespassport.com udp
DE 3.64.163.50:80 www.timestablespassport.com tcp
US 8.8.8.8:53 www.civilspeak.com udp
US 15.197.142.173:80 www.civilspeak.com tcp
US 8.8.8.8:53 www.marthalerr.com udp
US 192.0.78.24:80 www.marthalerr.com tcp
US 8.8.8.8:53 www.phoenixautonomousdrills.com udp
US 34.102.136.180:80 www.phoenixautonomousdrills.com tcp

Files

memory/5032-130-0x0000000000EA0000-0x0000000000F12000-memory.dmp

memory/5032-131-0x0000000005EC0000-0x0000000006464000-memory.dmp

memory/5032-132-0x0000000005910000-0x00000000059A2000-memory.dmp

memory/5032-133-0x00000000058B0000-0x00000000058BA000-memory.dmp

memory/5032-134-0x0000000009640000-0x00000000096DC000-memory.dmp

memory/3708-135-0x0000000000000000-mapping.dmp

memory/5000-136-0x0000000000000000-mapping.dmp

memory/5000-137-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5000-139-0x0000000001560000-0x00000000018AA000-memory.dmp

memory/5000-140-0x0000000001370000-0x0000000001381000-memory.dmp

memory/1092-141-0x00000000082C0000-0x00000000083C7000-memory.dmp

memory/5000-143-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3968-142-0x0000000000000000-mapping.dmp

memory/3968-144-0x0000000000CA0000-0x0000000000CFA000-memory.dmp

memory/3968-145-0x0000000001170000-0x00000000014BA000-memory.dmp

memory/3968-147-0x0000000000780000-0x00000000007A9000-memory.dmp

memory/1076-146-0x0000000000000000-mapping.dmp

memory/3968-148-0x0000000000F10000-0x0000000000FA0000-memory.dmp

memory/1092-149-0x00000000083D0000-0x00000000084E7000-memory.dmp

memory/3968-150-0x0000000000780000-0x00000000007A9000-memory.dmp

memory/1092-151-0x00000000083D0000-0x00000000084E7000-memory.dmp