Malware Analysis Report

2025-08-05 13:52

Sample ID 220621-lcf2dsehf2
Target 1.exe.vir
SHA256 61f7409c356d9376b580f156b4b775fb91aa34a4687642bc9c7f4673cffca0ca
Tags
rat uniz xloader formbook loader persistence spyware stealer suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

61f7409c356d9376b580f156b4b775fb91aa34a4687642bc9c7f4673cffca0ca

Threat Level: Known bad

The file 1.exe.vir was found to be: Known bad.

Malicious Activity Summary

rat uniz xloader formbook loader persistence spyware stealer suricata trojan

Formbook

Xloader family

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

suricata: ET MALWARE FormBook CnC Checkin (GET)

Xloader Payload

Xloader

Xloader Payload

Executes dropped EXE

Adds policy Run key to start application

Checks computer location settings

Reads user/profile data of web browsers

Deletes itself

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Gathers network information

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-21 09:23

Signatures

Xloader Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Xloader family

xloader

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-21 09:23

Reported

2022-06-21 09:25

Platform

win7-20220414-en

Max time kernel

150s

Max time network

153s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Xloader

loader xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata

Xloader Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\cmmon32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\JRMXEFPPWFM = "C:\\Program Files (x86)\\Ger1tiv_h\\mfcer-p6tep.exe" C:\Windows\SysWOW64\cmmon32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Ger1tiv_h\mfcer-p6tep.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1520 set thread context of 1296 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\Explorer.EXE
PID 876 set thread context of 1296 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Windows\Explorer.EXE

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Ger1tiv_h\mfcer-p6tep.exe C:\Windows\SysWOW64\cmmon32.exe N/A
File created C:\Program Files (x86)\Ger1tiv_h\mfcer-p6tep.exe C:\Windows\Explorer.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\cmmon32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\cmmon32.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Ger1tiv_h\mfcer-p6tep.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1296 wrote to memory of 876 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmmon32.exe
PID 1296 wrote to memory of 876 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmmon32.exe
PID 1296 wrote to memory of 876 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmmon32.exe
PID 1296 wrote to memory of 876 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmmon32.exe
PID 876 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmd.exe
PID 876 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmd.exe
PID 876 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmd.exe
PID 876 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmd.exe
PID 876 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 876 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 876 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 876 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 876 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1296 wrote to memory of 1564 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\Ger1tiv_h\mfcer-p6tep.exe
PID 1296 wrote to memory of 1564 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\Ger1tiv_h\mfcer-p6tep.exe
PID 1296 wrote to memory of 1564 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\Ger1tiv_h\mfcer-p6tep.exe
PID 1296 wrote to memory of 1564 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\Ger1tiv_h\mfcer-p6tep.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\1.exe

"C:\Users\Admin\AppData\Local\Temp\1.exe"

C:\Windows\SysWOW64\cmmon32.exe

"C:\Windows\SysWOW64\cmmon32.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\1.exe"

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

C:\Program Files (x86)\Ger1tiv_h\mfcer-p6tep.exe

"C:\Program Files (x86)\Ger1tiv_h\mfcer-p6tep.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.diraim.com udp
US 172.67.146.119:80 www.diraim.com tcp
US 8.8.8.8:53 www.siempreesvierness.com udp
ES 31.214.178.109:80 www.siempreesvierness.com tcp
US 8.8.8.8:53 www.shoppingmodernobrasil.com udp
US 192.185.222.95:80 www.shoppingmodernobrasil.com tcp
US 8.8.8.8:53 www.mrrooterzanesville.com udp
US 172.67.197.42:80 www.mrrooterzanesville.com tcp
US 8.8.8.8:53 www.unlockada.com udp
US 34.117.168.233:80 www.unlockada.com tcp
US 8.8.8.8:53 www.saketotomoni.com udp
JP 160.251.71.93:80 www.saketotomoni.com tcp
US 8.8.8.8:53 www.toto86.xyz udp
US 188.114.97.0:80 www.toto86.xyz tcp
US 8.8.8.8:53 www.tolbertasc.com udp
US 34.117.168.233:80 www.tolbertasc.com tcp
US 8.8.8.8:53 www.e9hwcloud.com udp
US 8.8.8.8:53 www.mexicalimerchandisecompany.net udp
US 8.8.8.8:53 www.meanfriendsnft.com udp
US 172.67.135.169:80 www.meanfriendsnft.com tcp
US 8.8.8.8:53 www.senior-living-homes1.life udp
DE 64.190.62.22:80 www.senior-living-homes1.life tcp
US 8.8.8.8:53 www.ginnusgbs.com udp
US 68.65.121.25:80 www.ginnusgbs.com tcp
US 8.8.8.8:53 www.centra4858.com udp
US 40.65.124.100:80 www.centra4858.com tcp
US 40.65.124.100:80 www.centra4858.com tcp
US 8.8.8.8:53 www.relxedm.com udp
ID 139.99.67.104:80 www.relxedm.com tcp
ID 139.99.67.104:80 www.relxedm.com tcp
US 8.8.8.8:53 www.gq5sf0.xyz udp
CN 45.248.10.244:80 www.gq5sf0.xyz tcp
US 8.8.8.8:53 www.softlandingny.com udp

Files

memory/1520-54-0x00000000008B0000-0x0000000000BB3000-memory.dmp

memory/1520-55-0x0000000000270000-0x0000000000281000-memory.dmp

memory/1296-56-0x00000000072D0000-0x0000000007476000-memory.dmp

memory/876-57-0x0000000000000000-mapping.dmp

memory/964-58-0x0000000000000000-mapping.dmp

memory/876-59-0x0000000000210000-0x000000000021D000-memory.dmp

memory/876-60-0x0000000001F20000-0x0000000002223000-memory.dmp

memory/876-61-0x0000000000080000-0x00000000000AC000-memory.dmp

memory/1296-63-0x0000000006240000-0x00000000062E4000-memory.dmp

memory/876-62-0x0000000001D90000-0x0000000001E20000-memory.dmp

memory/876-64-0x0000000000080000-0x00000000000AC000-memory.dmp

memory/1296-65-0x0000000006240000-0x00000000062E4000-memory.dmp

memory/876-66-0x0000000076451000-0x0000000076453000-memory.dmp

C:\Program Files (x86)\Ger1tiv_h\mfcer-p6tep.exe

MD5 509edfdb29a62b6e704548051f8288d7
SHA1 092709e1a4bdb9e154201f243faf7be0a6754806
SHA256 61f7409c356d9376b580f156b4b775fb91aa34a4687642bc9c7f4673cffca0ca
SHA512 10f97e788c0753de73f47ce30eb0617d84db1731e3279aa96343ce7fbf77b6ae6b073a6fad3dfafd26bbf10928a0ce1daf35aa382d8d2b717d182aab235ee954

memory/1564-69-0x0000000000880000-0x0000000000B83000-memory.dmp

memory/1564-67-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Ger1tiv_h\mfcer-p6tep.exe

MD5 509edfdb29a62b6e704548051f8288d7
SHA1 092709e1a4bdb9e154201f243faf7be0a6754806
SHA256 61f7409c356d9376b580f156b4b775fb91aa34a4687642bc9c7f4673cffca0ca
SHA512 10f97e788c0753de73f47ce30eb0617d84db1731e3279aa96343ce7fbf77b6ae6b073a6fad3dfafd26bbf10928a0ce1daf35aa382d8d2b717d182aab235ee954

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-21 09:23

Reported

2022-06-21 09:25

Platform

win10v2004-20220414-en

Max time kernel

149s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Xloader

loader xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

suricata

Xloader Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Dqdf8\chkdskp6ql.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\NETSTAT.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XBML08-X = "C:\\Program Files (x86)\\Dqdf8\\chkdskp6ql.exe" C:\Windows\SysWOW64\NETSTAT.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1088 set thread context of 3084 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Windows\Explorer.EXE
PID 4644 set thread context of 3084 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\Explorer.EXE

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Dqdf8\chkdskp6ql.exe C:\Windows\SysWOW64\NETSTAT.EXE N/A
File opened for modification C:\Program Files (x86)\Dqdf8 C:\Windows\Explorer.EXE N/A
File created C:\Program Files (x86)\Dqdf8\chkdskp6ql.exe C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Dqdf8\chkdskp6ql.exe C:\Windows\Explorer.EXE N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\NETSTAT.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Program Files (x86)\Dqdf8\chkdskp6ql.exe N/A
N/A N/A C:\Program Files (x86)\Dqdf8\chkdskp6ql.exe N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Dqdf8\chkdskp6ql.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3084 wrote to memory of 4644 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NETSTAT.EXE
PID 3084 wrote to memory of 4644 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NETSTAT.EXE
PID 3084 wrote to memory of 4644 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NETSTAT.EXE
PID 4644 wrote to memory of 1988 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 1988 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 1988 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 3992 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 3992 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 3992 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 2960 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 2960 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 2960 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 4448 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Program Files\Mozilla Firefox\Firefox.exe
PID 4644 wrote to memory of 4448 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Program Files\Mozilla Firefox\Firefox.exe
PID 4644 wrote to memory of 4448 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Program Files\Mozilla Firefox\Firefox.exe
PID 3084 wrote to memory of 4928 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\Dqdf8\chkdskp6ql.exe
PID 3084 wrote to memory of 4928 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\Dqdf8\chkdskp6ql.exe
PID 3084 wrote to memory of 4928 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\Dqdf8\chkdskp6ql.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\1.exe

"C:\Users\Admin\AppData\Local\Temp\1.exe"

C:\Windows\SysWOW64\NETSTAT.EXE

"C:\Windows\SysWOW64\NETSTAT.EXE"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\1.exe"

C:\Windows\SysWOW64\cmd.exe

/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V

C:\Windows\SysWOW64\cmd.exe

/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

C:\Program Files (x86)\Dqdf8\chkdskp6ql.exe

"C:\Program Files (x86)\Dqdf8\chkdskp6ql.exe"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 www.3dayofferf648.com udp
US 103.224.182.242:80 www.3dayofferf648.com tcp
US 8.8.8.8:53 www.ginnusgbs.com udp
US 68.65.121.25:80 www.ginnusgbs.com tcp
US 8.8.8.8:53 www.merdekaonlineindo.com udp
SG 172.104.57.50:80 www.merdekaonlineindo.com tcp
SG 172.104.57.50:80 www.merdekaonlineindo.com tcp
SG 172.104.57.50:80 www.merdekaonlineindo.com tcp
US 8.8.8.8:53 www.israel-postal.com udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 www.senior-living-homes1.life udp
DE 64.190.62.22:80 www.senior-living-homes1.life tcp
DE 64.190.62.22:80 www.senior-living-homes1.life tcp
DE 64.190.62.22:80 www.senior-living-homes1.life tcp
US 8.8.8.8:53 www.saketotomoni.com udp
JP 160.251.71.93:80 www.saketotomoni.com tcp
JP 160.251.71.93:80 www.saketotomoni.com tcp
JP 160.251.71.93:80 www.saketotomoni.com tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
US 8.8.8.8:53 www.buyordie.tech udp
US 8.8.8.8:53 www.jineshsolar.com udp
US 15.197.142.173:80 www.jineshsolar.com tcp
US 15.197.142.173:80 www.jineshsolar.com tcp
US 15.197.142.173:80 www.jineshsolar.com tcp
US 8.8.8.8:53 www.district3.community udp
NL 216.58.214.19:80 www.district3.community tcp
NL 216.58.214.19:80 www.district3.community tcp
NL 216.58.214.19:80 www.district3.community tcp
US 8.8.8.8:53 www.elfworld.info udp
SG 54.251.89.90:80 www.elfworld.info tcp
SG 54.251.89.90:80 www.elfworld.info tcp
SG 54.251.89.90:80 www.elfworld.info tcp
US 8.8.8.8:53 www.aperfectsteps.com udp
IN 103.20.127.61:80 www.aperfectsteps.com tcp
IN 103.20.127.61:80 www.aperfectsteps.com tcp
IN 103.20.127.61:80 www.aperfectsteps.com tcp
US 8.8.8.8:53 www.legallyspanked.com udp
US 172.80.101.220:80 www.legallyspanked.com tcp
US 172.80.101.220:80 www.legallyspanked.com tcp
US 172.80.101.220:80 www.legallyspanked.com tcp
US 8.8.8.8:53 www.arcjewelleryireland.com udp
CA 23.227.38.74:80 www.arcjewelleryireland.com tcp
CA 23.227.38.74:80 www.arcjewelleryireland.com tcp
CA 23.227.38.74:80 www.arcjewelleryireland.com tcp
US 8.8.8.8:53 www.kercombe.com udp
US 8.8.8.8:53 www.hhbrl.com udp
US 198.54.117.210:80 www.hhbrl.com tcp
US 198.54.117.210:80 www.hhbrl.com tcp
US 198.54.117.210:80 www.hhbrl.com tcp
US 8.8.8.8:53 www.mamemama-blog.com udp
JP 162.43.118.157:80 www.mamemama-blog.com tcp
US 68.65.121.25:80 www.ginnusgbs.com tcp
US 68.65.121.25:80 www.ginnusgbs.com tcp
US 68.65.121.25:80 www.ginnusgbs.com tcp
US 8.8.8.8:53 www.sen-eg.com udp
NL 145.14.151.24:80 www.sen-eg.com tcp
NL 145.14.151.24:80 www.sen-eg.com tcp
NL 145.14.151.24:80 www.sen-eg.com tcp
US 8.8.8.8:53 www.xlmhcb.com udp
HK 23.235.173.189:80 www.xlmhcb.com tcp
HK 23.235.173.189:80 www.xlmhcb.com tcp
HK 23.235.173.189:80 www.xlmhcb.com tcp
US 8.8.8.8:53 www.mrrooterzanesville.com udp
US 172.67.197.42:80 www.mrrooterzanesville.com tcp
US 172.67.197.42:80 www.mrrooterzanesville.com tcp
US 172.67.197.42:80 www.mrrooterzanesville.com tcp

Files

memory/1088-130-0x00000000010F0000-0x000000000143A000-memory.dmp

memory/1088-131-0x00000000015F0000-0x0000000001601000-memory.dmp

memory/3084-132-0x0000000002B10000-0x0000000002C5B000-memory.dmp

memory/4644-133-0x0000000000000000-mapping.dmp

memory/1988-134-0x0000000000000000-mapping.dmp

memory/4644-136-0x0000000000E30000-0x000000000117A000-memory.dmp

memory/4644-135-0x00000000003D0000-0x00000000003DB000-memory.dmp

memory/4644-137-0x0000000000340000-0x000000000036C000-memory.dmp

memory/4644-138-0x0000000000B50000-0x0000000000BE0000-memory.dmp

memory/3084-139-0x0000000002E00000-0x0000000002EC4000-memory.dmp

memory/4644-140-0x0000000000340000-0x000000000036C000-memory.dmp

memory/3084-141-0x0000000002E00000-0x0000000002EC4000-memory.dmp

memory/3992-142-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DB1

MD5 b608d407fc15adea97c26936bc6f03f6
SHA1 953e7420801c76393902c0d6bb56148947e41571
SHA256 b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512 cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

memory/2960-144-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DB1

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

memory/4928-146-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Dqdf8\chkdskp6ql.exe

MD5 509edfdb29a62b6e704548051f8288d7
SHA1 092709e1a4bdb9e154201f243faf7be0a6754806
SHA256 61f7409c356d9376b580f156b4b775fb91aa34a4687642bc9c7f4673cffca0ca
SHA512 10f97e788c0753de73f47ce30eb0617d84db1731e3279aa96343ce7fbf77b6ae6b073a6fad3dfafd26bbf10928a0ce1daf35aa382d8d2b717d182aab235ee954

C:\Program Files (x86)\Dqdf8\chkdskp6ql.exe

MD5 509edfdb29a62b6e704548051f8288d7
SHA1 092709e1a4bdb9e154201f243faf7be0a6754806
SHA256 61f7409c356d9376b580f156b4b775fb91aa34a4687642bc9c7f4673cffca0ca
SHA512 10f97e788c0753de73f47ce30eb0617d84db1731e3279aa96343ce7fbf77b6ae6b073a6fad3dfafd26bbf10928a0ce1daf35aa382d8d2b717d182aab235ee954

memory/4928-149-0x00000000018C0000-0x0000000001C0A000-memory.dmp