Malware Analysis Report

2025-06-16 05:12

Sample ID 230117-kgsqbada82
Target ffd1f23d797e701acd68c6fafc43ee52.bin
SHA256 28775ce1bdb5ca7b38745997d9c843f3ff46143879a2cd9f9c5be68c0b238ceb
Tags
formbook xloader poub loader persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

28775ce1bdb5ca7b38745997d9c843f3ff46143879a2cd9f9c5be68c0b238ceb

Threat Level: Known bad

The file ffd1f23d797e701acd68c6fafc43ee52.bin was found to be: Known bad.

Malicious Activity Summary

formbook xloader poub loader persistence rat spyware stealer trojan

Formbook

Xloader

Xloader payload

Adds policy Run key to start application

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

NSIS installer

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-17 08:34

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-17 08:34

Reported

2023-01-17 08:37

Platform

win7-20220812-en

Max time kernel

147s

Max time network

148s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Xloader

loader xloader

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\systray.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\J8TP9VR8BFE = "C:\\Program Files (x86)\\Badll_reh\\msafilu.exe" C:\Windows\SysWOW64\systray.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rqpwm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rqpwm.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\rqpwm.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1360 set thread context of 1692 N/A C:\Users\Admin\AppData\Local\Temp\rqpwm.exe C:\Users\Admin\AppData\Local\Temp\rqpwm.exe
PID 1692 set thread context of 1264 N/A C:\Users\Admin\AppData\Local\Temp\rqpwm.exe C:\Windows\Explorer.EXE
PID 1516 set thread context of 1264 N/A C:\Windows\SysWOW64\systray.exe C:\Windows\Explorer.EXE

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Badll_reh\msafilu.exe C:\Windows\SysWOW64\systray.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\systray.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\rqpwm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\systray.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1016 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe C:\Users\Admin\AppData\Local\Temp\rqpwm.exe
PID 1016 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe C:\Users\Admin\AppData\Local\Temp\rqpwm.exe
PID 1016 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe C:\Users\Admin\AppData\Local\Temp\rqpwm.exe
PID 1016 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe C:\Users\Admin\AppData\Local\Temp\rqpwm.exe
PID 1360 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\rqpwm.exe C:\Users\Admin\AppData\Local\Temp\rqpwm.exe
PID 1360 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\rqpwm.exe C:\Users\Admin\AppData\Local\Temp\rqpwm.exe
PID 1360 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\rqpwm.exe C:\Users\Admin\AppData\Local\Temp\rqpwm.exe
PID 1360 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\rqpwm.exe C:\Users\Admin\AppData\Local\Temp\rqpwm.exe
PID 1360 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\rqpwm.exe C:\Users\Admin\AppData\Local\Temp\rqpwm.exe
PID 1264 wrote to memory of 1516 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\systray.exe
PID 1264 wrote to memory of 1516 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\systray.exe
PID 1264 wrote to memory of 1516 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\systray.exe
PID 1264 wrote to memory of 1516 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\systray.exe
PID 1516 wrote to memory of 972 N/A C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 972 N/A C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 972 N/A C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 972 N/A C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 832 N/A C:\Windows\SysWOW64\systray.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1516 wrote to memory of 832 N/A C:\Windows\SysWOW64\systray.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1516 wrote to memory of 832 N/A C:\Windows\SysWOW64\systray.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1516 wrote to memory of 832 N/A C:\Windows\SysWOW64\systray.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1516 wrote to memory of 832 N/A C:\Windows\SysWOW64\systray.exe C:\Program Files\Mozilla Firefox\Firefox.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe

"C:\Users\Admin\AppData\Local\Temp\b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe"

C:\Users\Admin\AppData\Local\Temp\rqpwm.exe

"C:\Users\Admin\AppData\Local\Temp\rqpwm.exe" C:\Users\Admin\AppData\Local\Temp\ggzllxjrbu.d

C:\Users\Admin\AppData\Local\Temp\rqpwm.exe

"C:\Users\Admin\AppData\Local\Temp\rqpwm.exe"

C:\Windows\SysWOW64\systray.exe

"C:\Windows\SysWOW64\systray.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\rqpwm.exe"

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 www.elektrogo.xyz udp
N/A 85.159.66.93:80 www.elektrogo.xyz tcp
N/A 8.8.8.8:53 www.ppparadise.xyz udp
N/A 133.167.73.73:80 www.ppparadise.xyz tcp
N/A 8.8.8.8:53 www.anglicanadebrasilia.com udp
N/A 149.62.37.97:80 www.anglicanadebrasilia.com tcp
N/A 8.8.8.8:53 www.797322.com udp
N/A 136.0.161.67:80 www.797322.com tcp
N/A 8.8.8.8:53 www.797322.com udp
N/A 8.8.8.8:53 www.w3bsports.club udp
N/A 34.102.136.180:80 www.w3bsports.club tcp
N/A 136.0.161.67:80 www.797322.com tcp
N/A 8.8.8.8:53 www.494msc.com udp
N/A 134.73.53.13:80 www.494msc.com tcp
N/A 8.8.8.8:53 www.peiphitan.com udp
N/A 192.64.115.133:80 www.peiphitan.com tcp
N/A 8.8.8.8:53 www.sqlite.org udp
N/A 45.33.6.223:80 www.sqlite.org tcp
N/A 8.8.8.8:53 www.orange-foam.com udp
N/A 3.74.205.160:80 www.orange-foam.com tcp
N/A 8.8.8.8:53 www.timbereasy.digital udp
N/A 8.8.8.8:53 www.drzjup.space udp
N/A 172.255.33.179:80 www.drzjup.space tcp
N/A 8.8.8.8:53 www.tokendownload.space udp
N/A 67.21.71.208:80 www.tokendownload.space tcp

Files

memory/1016-54-0x00000000764D1000-0x00000000764D3000-memory.dmp

\Users\Admin\AppData\Local\Temp\rqpwm.exe

MD5 c7b994bf4057f869fbf0fdd87058a5b1
SHA1 49cd3cb0e992b570ddfb82ee539c91e924fae42d
SHA256 9713a086074e9951c6ba4aff6f801c62ca11935aaea623047f21c6b1516174ac
SHA512 b3d511e62c54aa201d00b83e520b714efb295a39030b98558d88b499e90b1d2606ca58dbb3aea4e602912ada7c9582738083ae44890b2a183a262bacb8d1b0d9

\Users\Admin\AppData\Local\Temp\rqpwm.exe

MD5 c7b994bf4057f869fbf0fdd87058a5b1
SHA1 49cd3cb0e992b570ddfb82ee539c91e924fae42d
SHA256 9713a086074e9951c6ba4aff6f801c62ca11935aaea623047f21c6b1516174ac
SHA512 b3d511e62c54aa201d00b83e520b714efb295a39030b98558d88b499e90b1d2606ca58dbb3aea4e602912ada7c9582738083ae44890b2a183a262bacb8d1b0d9

memory/1360-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\rqpwm.exe

MD5 c7b994bf4057f869fbf0fdd87058a5b1
SHA1 49cd3cb0e992b570ddfb82ee539c91e924fae42d
SHA256 9713a086074e9951c6ba4aff6f801c62ca11935aaea623047f21c6b1516174ac
SHA512 b3d511e62c54aa201d00b83e520b714efb295a39030b98558d88b499e90b1d2606ca58dbb3aea4e602912ada7c9582738083ae44890b2a183a262bacb8d1b0d9

C:\Users\Admin\AppData\Local\Temp\ggzllxjrbu.d

MD5 eb6b8d229b54bed8469fb9bcebcaa22d
SHA1 f4bd8ee98476e8520f2e6b8e014f47002555d7e0
SHA256 447204de0bb3b29b0a80fe2d233448dc095825ad00df559278a2a7df01b9be4a
SHA512 39ee1775c22328314c2682bbf93252f87cdb03e8d86c612eb8252729b4ae41c06d0953d3f99c925a2747398e2d175d0b76556d37f600f9e4a3c059a24912694c

C:\Users\Admin\AppData\Local\Temp\ajxwfn.ya

MD5 e9dc02fcc8d07b8c9fb94bfdafd649dc
SHA1 4073f8fd24f056a7d1dc8057ac3b9856b3c5acf8
SHA256 ebcbf2884bbab2f4659135df86ee673072f4b4de530b703674fbb92731f893cb
SHA512 a1abdb620261820d7575c8e9d85a7ef53df46d8980950a3d3db239e72fca86c951306b8066868f61f8b69d25006316d9265317d580eea5012fbfe5ef8e9a0bda

\Users\Admin\AppData\Local\Temp\rqpwm.exe

MD5 c7b994bf4057f869fbf0fdd87058a5b1
SHA1 49cd3cb0e992b570ddfb82ee539c91e924fae42d
SHA256 9713a086074e9951c6ba4aff6f801c62ca11935aaea623047f21c6b1516174ac
SHA512 b3d511e62c54aa201d00b83e520b714efb295a39030b98558d88b499e90b1d2606ca58dbb3aea4e602912ada7c9582738083ae44890b2a183a262bacb8d1b0d9

C:\Users\Admin\AppData\Local\Temp\rqpwm.exe

MD5 c7b994bf4057f869fbf0fdd87058a5b1
SHA1 49cd3cb0e992b570ddfb82ee539c91e924fae42d
SHA256 9713a086074e9951c6ba4aff6f801c62ca11935aaea623047f21c6b1516174ac
SHA512 b3d511e62c54aa201d00b83e520b714efb295a39030b98558d88b499e90b1d2606ca58dbb3aea4e602912ada7c9582738083ae44890b2a183a262bacb8d1b0d9

memory/1692-64-0x000000000041FF10-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\rqpwm.exe

MD5 c7b994bf4057f869fbf0fdd87058a5b1
SHA1 49cd3cb0e992b570ddfb82ee539c91e924fae42d
SHA256 9713a086074e9951c6ba4aff6f801c62ca11935aaea623047f21c6b1516174ac
SHA512 b3d511e62c54aa201d00b83e520b714efb295a39030b98558d88b499e90b1d2606ca58dbb3aea4e602912ada7c9582738083ae44890b2a183a262bacb8d1b0d9

memory/1692-66-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1692-67-0x0000000000800000-0x0000000000B03000-memory.dmp

memory/1692-68-0x00000000002B0000-0x00000000002C1000-memory.dmp

memory/1264-69-0x0000000004A00000-0x0000000004AD0000-memory.dmp

memory/1516-70-0x0000000000000000-mapping.dmp

memory/1516-71-0x0000000000D20000-0x0000000000D25000-memory.dmp

memory/1516-72-0x0000000000080000-0x00000000000AC000-memory.dmp

memory/1516-73-0x0000000002130000-0x0000000002433000-memory.dmp

memory/972-74-0x0000000000000000-mapping.dmp

memory/1264-76-0x0000000004DF0000-0x0000000004EF9000-memory.dmp

memory/1516-75-0x0000000000890000-0x0000000000920000-memory.dmp

memory/1516-77-0x0000000000080000-0x00000000000AC000-memory.dmp

memory/1264-78-0x0000000004DF0000-0x0000000004EF9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-17 08:34

Reported

2023-01-17 08:37

Platform

win10v2004-20221111-en

Max time kernel

159s

Max time network

164s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Xloader

loader xloader

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rqpwm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rqpwm.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\rqpwm.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\cmmon32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8PVH86OPZDNX = "C:\\Program Files (x86)\\Uqbsd6t\\zlrpsffbpq.exe" C:\Windows\SysWOW64\cmmon32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1136 set thread context of 4300 N/A C:\Users\Admin\AppData\Local\Temp\rqpwm.exe C:\Users\Admin\AppData\Local\Temp\rqpwm.exe
PID 4300 set thread context of 2540 N/A C:\Users\Admin\AppData\Local\Temp\rqpwm.exe C:\Windows\Explorer.EXE
PID 4300 set thread context of 2540 N/A C:\Users\Admin\AppData\Local\Temp\rqpwm.exe C:\Windows\Explorer.EXE
PID 4592 set thread context of 2540 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Windows\Explorer.EXE

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Uqbsd6t\zlrpsffbpq.exe C:\Windows\SysWOW64\cmmon32.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\cmmon32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rqpwm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rqpwm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rqpwm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rqpwm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rqpwm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rqpwm.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\rqpwm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\cmmon32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe C:\Users\Admin\AppData\Local\Temp\rqpwm.exe
PID 2160 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe C:\Users\Admin\AppData\Local\Temp\rqpwm.exe
PID 2160 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe C:\Users\Admin\AppData\Local\Temp\rqpwm.exe
PID 1136 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\rqpwm.exe C:\Users\Admin\AppData\Local\Temp\rqpwm.exe
PID 1136 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\rqpwm.exe C:\Users\Admin\AppData\Local\Temp\rqpwm.exe
PID 1136 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\rqpwm.exe C:\Users\Admin\AppData\Local\Temp\rqpwm.exe
PID 1136 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\rqpwm.exe C:\Users\Admin\AppData\Local\Temp\rqpwm.exe
PID 2540 wrote to memory of 4592 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmmon32.exe
PID 2540 wrote to memory of 4592 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmmon32.exe
PID 2540 wrote to memory of 4592 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmmon32.exe
PID 4592 wrote to memory of 848 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 848 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 848 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 3164 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 3164 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 3164 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 4316 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 4592 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 4592 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Program Files\Mozilla Firefox\Firefox.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe

"C:\Users\Admin\AppData\Local\Temp\b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe"

C:\Users\Admin\AppData\Local\Temp\rqpwm.exe

"C:\Users\Admin\AppData\Local\Temp\rqpwm.exe" C:\Users\Admin\AppData\Local\Temp\ggzllxjrbu.d

C:\Users\Admin\AppData\Local\Temp\rqpwm.exe

"C:\Users\Admin\AppData\Local\Temp\rqpwm.exe"

C:\Windows\SysWOW64\cmmon32.exe

"C:\Windows\SysWOW64\cmmon32.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\rqpwm.exe"

C:\Windows\SysWOW64\cmd.exe

/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V

C:\Windows\SysWOW64\cmd.exe

/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

Network

Country Destination Domain Proto
N/A 93.184.221.240:80 tcp
N/A 104.80.225.205:443 tcp
N/A 20.189.173.12:443 tcp
N/A 8.8.8.8:53 www.solarisgp.com udp
N/A 139.162.163.163:80 www.solarisgp.com tcp
N/A 87.248.202.1:80 tcp
N/A 87.248.202.1:80 tcp
N/A 87.248.202.1:80 tcp
N/A 8.8.8.8:53 226.101.242.52.in-addr.arpa udp
N/A 8.8.8.8:53 www.drzjup.space udp
N/A 172.255.33.179:80 www.drzjup.space tcp
N/A 8.8.8.8:53 www.drzjup.space udp
N/A 172.255.33.179:80 www.drzjup.space tcp
N/A 8.8.8.8:53 www.rejuvenescerzero.site udp
N/A 8.8.8.8:53 www.797322.com udp
N/A 136.0.161.67:80 www.797322.com tcp
N/A 8.8.8.8:53 www.797322.com udp
N/A 136.0.161.67:80 www.797322.com tcp
N/A 8.8.8.8:53 www.atomicconnections.org udp
N/A 8.8.8.8:53 www.bayuerlangga.com udp
N/A 203.175.9.15:80 www.bayuerlangga.com tcp
N/A 8.8.8.8:53 www.peiphitan.com udp
N/A 192.64.115.133:80 www.peiphitan.com tcp
N/A 8.8.8.8:53 www.kcgjz.top udp
N/A 188.114.97.0:80 www.kcgjz.top tcp
N/A 188.114.97.0:80 www.kcgjz.top tcp
N/A 8.8.8.8:53 www.anaygus.com udp
N/A 72.167.68.223:80 www.anaygus.com tcp
N/A 72.167.68.223:80 www.anaygus.com tcp
N/A 8.8.8.8:53 www.vybzhighmusic.mobi udp
N/A 34.102.136.180:80 www.vybzhighmusic.mobi tcp
N/A 34.102.136.180:80 www.vybzhighmusic.mobi tcp
N/A 8.8.8.8:53 www.soldbylena.com udp
N/A 216.58.208.115:80 www.soldbylena.com tcp
N/A 216.58.208.115:80 www.soldbylena.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\rqpwm.exe

MD5 c7b994bf4057f869fbf0fdd87058a5b1
SHA1 49cd3cb0e992b570ddfb82ee539c91e924fae42d
SHA256 9713a086074e9951c6ba4aff6f801c62ca11935aaea623047f21c6b1516174ac
SHA512 b3d511e62c54aa201d00b83e520b714efb295a39030b98558d88b499e90b1d2606ca58dbb3aea4e602912ada7c9582738083ae44890b2a183a262bacb8d1b0d9

memory/1136-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\rqpwm.exe

MD5 c7b994bf4057f869fbf0fdd87058a5b1
SHA1 49cd3cb0e992b570ddfb82ee539c91e924fae42d
SHA256 9713a086074e9951c6ba4aff6f801c62ca11935aaea623047f21c6b1516174ac
SHA512 b3d511e62c54aa201d00b83e520b714efb295a39030b98558d88b499e90b1d2606ca58dbb3aea4e602912ada7c9582738083ae44890b2a183a262bacb8d1b0d9

C:\Users\Admin\AppData\Local\Temp\ggzllxjrbu.d

MD5 eb6b8d229b54bed8469fb9bcebcaa22d
SHA1 f4bd8ee98476e8520f2e6b8e014f47002555d7e0
SHA256 447204de0bb3b29b0a80fe2d233448dc095825ad00df559278a2a7df01b9be4a
SHA512 39ee1775c22328314c2682bbf93252f87cdb03e8d86c612eb8252729b4ae41c06d0953d3f99c925a2747398e2d175d0b76556d37f600f9e4a3c059a24912694c

C:\Users\Admin\AppData\Local\Temp\ajxwfn.ya

MD5 e9dc02fcc8d07b8c9fb94bfdafd649dc
SHA1 4073f8fd24f056a7d1dc8057ac3b9856b3c5acf8
SHA256 ebcbf2884bbab2f4659135df86ee673072f4b4de530b703674fbb92731f893cb
SHA512 a1abdb620261820d7575c8e9d85a7ef53df46d8980950a3d3db239e72fca86c951306b8066868f61f8b69d25006316d9265317d580eea5012fbfe5ef8e9a0bda

memory/4300-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\rqpwm.exe

MD5 c7b994bf4057f869fbf0fdd87058a5b1
SHA1 49cd3cb0e992b570ddfb82ee539c91e924fae42d
SHA256 9713a086074e9951c6ba4aff6f801c62ca11935aaea623047f21c6b1516174ac
SHA512 b3d511e62c54aa201d00b83e520b714efb295a39030b98558d88b499e90b1d2606ca58dbb3aea4e602912ada7c9582738083ae44890b2a183a262bacb8d1b0d9

memory/4300-139-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4300-140-0x0000000000A50000-0x0000000000D9A000-memory.dmp

memory/4300-141-0x00000000006C0000-0x00000000006D1000-memory.dmp

memory/2540-142-0x0000000008110000-0x000000000821D000-memory.dmp

memory/4300-143-0x0000000000730000-0x0000000000741000-memory.dmp

memory/2540-144-0x0000000008220000-0x0000000008330000-memory.dmp

memory/4300-145-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4592-146-0x0000000000000000-mapping.dmp

memory/848-147-0x0000000000000000-mapping.dmp

memory/4592-149-0x0000000000190000-0x00000000001BC000-memory.dmp

memory/4592-148-0x0000000000870000-0x000000000087C000-memory.dmp

memory/4592-150-0x0000000002390000-0x00000000026DA000-memory.dmp

memory/4592-151-0x0000000000190000-0x00000000001BC000-memory.dmp

memory/2540-153-0x0000000008BD0000-0x0000000008CED000-memory.dmp

memory/4592-152-0x00000000020C0000-0x0000000002150000-memory.dmp

memory/2540-154-0x0000000008BD0000-0x0000000008CED000-memory.dmp

memory/3164-155-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DB1

MD5 b608d407fc15adea97c26936bc6f03f6
SHA1 953e7420801c76393902c0d6bb56148947e41571
SHA256 b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512 cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

memory/4316-157-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DB1

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574