Malware Analysis Report

2025-06-16 05:13

Sample ID 230125-zd5ysscb5z
Target 58a93d1d064b9e8265ea798531adb0bf.exe
SHA256 d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c
Tags
formbook xloader poub loader persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c

Threat Level: Known bad

The file 58a93d1d064b9e8265ea798531adb0bf.exe was found to be: Known bad.

Malicious Activity Summary

formbook xloader poub loader persistence rat spyware stealer trojan

Formbook

Xloader

Xloader payload

Executes dropped EXE

Blocklisted process makes network request

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-25 20:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-25 20:37

Reported

2023-01-25 20:39

Platform

win7-20220812-en

Max time kernel

150s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Xloader

loader xloader

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\wlanext.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HJSDOL18N = "C:\\Program Files (x86)\\K-zfpa\\update9rn0.exe" C:\Windows\SysWOW64\wlanext.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2008 set thread context of 1452 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1452 set thread context of 1244 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Windows\Explorer.EXE
PID 1232 set thread context of 1244 N/A C:\Windows\SysWOW64\wlanext.exe C:\Windows\Explorer.EXE

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\K-zfpa\update9rn0.exe C:\Windows\SysWOW64\wlanext.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\wlanext.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wlanext.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1896 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\58a93d1d064b9e8265ea798531adb0bf.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1896 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\58a93d1d064b9e8265ea798531adb0bf.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1896 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\58a93d1d064b9e8265ea798531adb0bf.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1896 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\58a93d1d064b9e8265ea798531adb0bf.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 2008 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 2008 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 2008 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 2008 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 2008 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1244 wrote to memory of 1232 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wlanext.exe
PID 1244 wrote to memory of 1232 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wlanext.exe
PID 1244 wrote to memory of 1232 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wlanext.exe
PID 1244 wrote to memory of 1232 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wlanext.exe
PID 1232 wrote to memory of 1276 N/A C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 1276 N/A C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 1276 N/A C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 1276 N/A C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 428 N/A C:\Windows\SysWOW64\wlanext.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1232 wrote to memory of 428 N/A C:\Windows\SysWOW64\wlanext.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1232 wrote to memory of 428 N/A C:\Windows\SysWOW64\wlanext.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1232 wrote to memory of 428 N/A C:\Windows\SysWOW64\wlanext.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1232 wrote to memory of 428 N/A C:\Windows\SysWOW64\wlanext.exe C:\Program Files\Mozilla Firefox\Firefox.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\58a93d1d064b9e8265ea798531adb0bf.exe

"C:\Users\Admin\AppData\Local\Temp\58a93d1d064b9e8265ea798531adb0bf.exe"

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe

"C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe" C:\Users\Admin\AppData\Local\Temp\ucpha.v

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe

"C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe"

C:\Windows\SysWOW64\wlanext.exe

"C:\Windows\SysWOW64\wlanext.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe"

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 www.tokendownload.space udp
N/A 67.21.71.208:80 www.tokendownload.space tcp
N/A 8.8.8.8:53 www.tokendownload.space udp
N/A 67.21.71.208:80 www.tokendownload.space tcp
N/A 8.8.8.8:53 www.the83company.com udp
N/A 212.1.210.69:80 www.the83company.com tcp
N/A 8.8.8.8:53 www.adcki-xenmk.com udp
N/A 8.8.8.8:53 www.ppparadise.xyz udp
N/A 133.167.73.73:80 www.ppparadise.xyz tcp
N/A 8.8.8.8:53 www.dwwproductions.net udp
N/A 208.113.213.231:80 www.dwwproductions.net tcp
N/A 8.8.8.8:53 www.crusadia.net udp
N/A 212.192.29.71:80 www.crusadia.net tcp
N/A 8.8.8.8:53 www.peiphitan.com udp
N/A 192.64.115.133:80 www.peiphitan.com tcp
N/A 8.8.8.8:53 www.sqlite.org udp
N/A 45.33.6.223:80 www.sqlite.org tcp
N/A 8.8.8.8:53 www.drzjup.space udp
N/A 172.255.33.179:80 www.drzjup.space tcp
N/A 8.8.8.8:53 www.advancedsurgery.xyz udp
N/A 3.64.163.50:80 www.advancedsurgery.xyz tcp
N/A 8.8.8.8:53 www.niply.space udp
N/A 64.190.63.111:80 www.niply.space tcp
N/A 8.8.8.8:53 www.solarisgp.com udp
N/A 139.162.163.163:80 www.solarisgp.com tcp
N/A 8.8.8.8:53 www.yh77988.com udp
N/A 180.215.65.145:80 www.yh77988.com tcp
N/A 8.8.8.8:53 www.asu4tqr.icu udp
N/A 38.85.254.111:80 www.asu4tqr.icu tcp
N/A 8.8.8.8:53 www.craftedinglass.com udp
N/A 185.199.220.38:80 www.craftedinglass.com tcp

Files

memory/1896-54-0x0000000076181000-0x0000000076183000-memory.dmp

\Users\Admin\AppData\Local\Temp\xnozsgld.exe

MD5 d8394c44bc790e1bdab00823f689c1bd
SHA1 735d8986424e2ab3440f49a7a720ecaad43d491d
SHA256 234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007
SHA512 c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e

memory/2008-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe

MD5 d8394c44bc790e1bdab00823f689c1bd
SHA1 735d8986424e2ab3440f49a7a720ecaad43d491d
SHA256 234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007
SHA512 c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e

C:\Users\Admin\AppData\Local\Temp\ucpha.v

MD5 d934356067b6133646fad1aa12371a1e
SHA1 23fe2ea62be0949a32ea6609345a8b8d27ce3757
SHA256 81f2eb3bd3c2135b0d6abdcc4f2e6427a76dac558928d4c8beb648a045010ae5
SHA512 26b50a5599353328bfc4609754ead9efd9e4084e4fdb6a9479ad56ea79aed81648de897e66c3dd1c9de1cdb6eba04855e4498f0d8d09f7804224ba27ceab91d8

C:\Users\Admin\AppData\Local\Temp\hcmpu.cqa

MD5 28eed71dacb4522dbf2c1aeca39e2c5d
SHA1 b5633dcf66f1657552ba992c55e7124250c23a35
SHA256 22bfb554d299b3fc4686643b0522384db2c92ebf64bd80475439b8dd9bbe7bc5
SHA512 7f08bc8237868fb6509baafd3c4a01663b0577ebec86aef9cb185bec13acb8c5787604329a85c74a2ebbc3f39933929a2f36ea21513330124bd2d66363e54cae

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe

MD5 d8394c44bc790e1bdab00823f689c1bd
SHA1 735d8986424e2ab3440f49a7a720ecaad43d491d
SHA256 234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007
SHA512 c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e

\Users\Admin\AppData\Local\Temp\xnozsgld.exe

MD5 d8394c44bc790e1bdab00823f689c1bd
SHA1 735d8986424e2ab3440f49a7a720ecaad43d491d
SHA256 234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007
SHA512 c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe

MD5 d8394c44bc790e1bdab00823f689c1bd
SHA1 735d8986424e2ab3440f49a7a720ecaad43d491d
SHA256 234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007
SHA512 c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e

memory/1452-62-0x000000000041FF10-mapping.dmp

memory/1452-64-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1452-65-0x0000000000840000-0x0000000000B43000-memory.dmp

memory/1452-66-0x00000000002C0000-0x00000000002D1000-memory.dmp

memory/1244-67-0x0000000007100000-0x0000000007264000-memory.dmp

memory/1232-68-0x0000000000000000-mapping.dmp

memory/1276-69-0x0000000000000000-mapping.dmp

memory/1232-70-0x00000000009A0000-0x00000000009B6000-memory.dmp

memory/1232-71-0x00000000000C0000-0x00000000000EC000-memory.dmp

memory/1232-72-0x0000000002090000-0x0000000002393000-memory.dmp

memory/1244-74-0x00000000074F0000-0x0000000007663000-memory.dmp

memory/1232-73-0x0000000000900000-0x0000000000990000-memory.dmp

memory/1232-75-0x00000000000C0000-0x00000000000EC000-memory.dmp

memory/1244-76-0x00000000074F0000-0x0000000007663000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-25 20:37

Reported

2023-01-25 20:39

Platform

win10v2004-20221111-en

Max time kernel

148s

Max time network

148s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Xloader

loader xloader

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4884 set thread context of 900 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 900 set thread context of 2640 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Windows\Explorer.EXE
PID 900 set thread context of 2640 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Windows\Explorer.EXE
PID 1224 set thread context of 2640 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1208 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\58a93d1d064b9e8265ea798531adb0bf.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1208 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\58a93d1d064b9e8265ea798531adb0bf.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 1208 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\58a93d1d064b9e8265ea798531adb0bf.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 4884 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 4884 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 4884 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 4884 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
PID 2640 wrote to memory of 1224 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\rundll32.exe
PID 2640 wrote to memory of 1224 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\rundll32.exe
PID 2640 wrote to memory of 1224 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\rundll32.exe
PID 1224 wrote to memory of 3760 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1224 wrote to memory of 3760 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1224 wrote to memory of 3760 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\58a93d1d064b9e8265ea798531adb0bf.exe

"C:\Users\Admin\AppData\Local\Temp\58a93d1d064b9e8265ea798531adb0bf.exe"

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe

"C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe" C:\Users\Admin\AppData\Local\Temp\ucpha.v

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe

"C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 www.ywshiman.com udp
N/A 154.38.96.60:80 www.ywshiman.com tcp
N/A 20.54.89.106:443 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 20.42.73.26:443 tcp
N/A 104.80.225.205:443 tcp
N/A 8.8.8.8:53 www.ywshiman.com udp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 154.38.96.60:80 www.ywshiman.com tcp
N/A 8.8.8.8:53 www.lastperfection.com udp
N/A 104.21.95.23:80 www.lastperfection.com tcp
N/A 8.8.8.8:53 www.etgadu.global udp
N/A 8.8.8.8:53 www.cheapboden.com udp
N/A 172.67.212.73:80 www.cheapboden.com tcp
N/A 8.8.8.8:53 www.ballysportspluse.com udp
N/A 199.59.243.222:80 www.ballysportspluse.com tcp
N/A 8.8.8.8:53 www.naver-io.com udp
N/A 8.8.8.8:53 www.soldbylena.com udp
N/A 216.58.214.19:80 www.soldbylena.com tcp
N/A 8.8.8.8:53 www.ajansimo.com udp
N/A 8.8.8.8:53 www.drzjup.space udp
N/A 172.255.33.179:80 www.drzjup.space tcp
N/A 8.8.8.8:53 www.adcki-xenmk.com udp
N/A 8.8.8.8:53 www.yh77988.com udp
N/A 180.215.65.145:80 www.yh77988.com tcp
N/A 8.8.8.8:53 www.232ppp.com udp
N/A 156.235.245.66:80 www.232ppp.com tcp
N/A 8.8.8.8:53 www.232ppp.com udp
N/A 156.235.245.66:80 www.232ppp.com tcp
N/A 8.8.8.8:53 www.kcgjz.top udp
N/A 188.114.97.0:80 www.kcgjz.top tcp

Files

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe

MD5 d8394c44bc790e1bdab00823f689c1bd
SHA1 735d8986424e2ab3440f49a7a720ecaad43d491d
SHA256 234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007
SHA512 c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e

memory/4884-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe

MD5 d8394c44bc790e1bdab00823f689c1bd
SHA1 735d8986424e2ab3440f49a7a720ecaad43d491d
SHA256 234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007
SHA512 c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e

C:\Users\Admin\AppData\Local\Temp\ucpha.v

MD5 d934356067b6133646fad1aa12371a1e
SHA1 23fe2ea62be0949a32ea6609345a8b8d27ce3757
SHA256 81f2eb3bd3c2135b0d6abdcc4f2e6427a76dac558928d4c8beb648a045010ae5
SHA512 26b50a5599353328bfc4609754ead9efd9e4084e4fdb6a9479ad56ea79aed81648de897e66c3dd1c9de1cdb6eba04855e4498f0d8d09f7804224ba27ceab91d8

C:\Users\Admin\AppData\Local\Temp\hcmpu.cqa

MD5 28eed71dacb4522dbf2c1aeca39e2c5d
SHA1 b5633dcf66f1657552ba992c55e7124250c23a35
SHA256 22bfb554d299b3fc4686643b0522384db2c92ebf64bd80475439b8dd9bbe7bc5
SHA512 7f08bc8237868fb6509baafd3c4a01663b0577ebec86aef9cb185bec13acb8c5787604329a85c74a2ebbc3f39933929a2f36ea21513330124bd2d66363e54cae

memory/900-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe

MD5 d8394c44bc790e1bdab00823f689c1bd
SHA1 735d8986424e2ab3440f49a7a720ecaad43d491d
SHA256 234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007
SHA512 c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e

memory/900-139-0x0000000000400000-0x000000000042C000-memory.dmp

memory/900-140-0x0000000000A30000-0x0000000000D7A000-memory.dmp

memory/900-141-0x00000000009F0000-0x0000000000A01000-memory.dmp

memory/2640-142-0x0000000007BF0000-0x0000000007D2F000-memory.dmp

memory/900-143-0x0000000000EE0000-0x0000000000EF1000-memory.dmp

memory/2640-144-0x0000000002D70000-0x0000000002E30000-memory.dmp

memory/1224-145-0x0000000000000000-mapping.dmp

memory/900-146-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3760-147-0x0000000000000000-mapping.dmp

memory/1224-148-0x00000000006A0000-0x00000000006B4000-memory.dmp

memory/1224-149-0x0000000000A00000-0x0000000000A2C000-memory.dmp

memory/1224-150-0x00000000028D0000-0x0000000002C1A000-memory.dmp

memory/1224-151-0x0000000002730000-0x00000000027C0000-memory.dmp

memory/2640-152-0x0000000003130000-0x0000000003208000-memory.dmp

memory/1224-153-0x0000000000A00000-0x0000000000A2C000-memory.dmp

memory/2640-154-0x0000000003130000-0x0000000003208000-memory.dmp