Analysis Overview
SHA256
64a8c9065258f70f7567b5d52da2738c6e63580cc64a95273b454f45addf50f5
Threat Level: Known bad
The file tmp was found to be: Known bad.
Malicious Activity Summary
Formbook
Xloader
Xloader payload
Executes dropped EXE
Adds policy Run key to start application
Reads user/profile data of web browsers
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
Enumerates physical storage devices
Program crash
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Gathers network information
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-26 10:45
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-26 10:45
Reported
2023-01-26 10:47
Platform
win7-20220901-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Formbook
Xloader
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\netsh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\JTEXV44PLXX = "C:\\Program Files (x86)\\Gmtqhbpj\\help6ldhghf.exe" | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Gmtqhbpj\help6ldhghf.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1472 set thread context of 1112 | N/A | C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe | C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe |
| PID 1112 set thread context of 1360 | N/A | C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe | C:\Windows\Explorer.EXE |
| PID 1112 set thread context of 1360 | N/A | C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe | C:\Windows\Explorer.EXE |
| PID 844 set thread context of 1360 | N/A | C:\Windows\SysWOW64\netsh.exe | C:\Windows\Explorer.EXE |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Gmtqhbpj\help6ldhghf.exe | C:\Windows\SysWOW64\netsh.exe | N/A |
| File created | C:\Program Files (x86)\Gmtqhbpj\help6ldhghf.exe | C:\Windows\Explorer.EXE | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Program Files (x86)\Gmtqhbpj\help6ldhghf.exe |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe
"C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe" C:\Users\Admin\AppData\Local\Temp\mewbf.gv
C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe
"C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe"
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe"
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
C:\Program Files (x86)\Gmtqhbpj\help6ldhghf.exe
"C:\Program Files (x86)\Gmtqhbpj\help6ldhghf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 124
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | www.eduponics.com | udp |
| N/A | 96.126.101.139:80 | www.eduponics.com | tcp |
| N/A | 8.8.8.8:53 | www.funrepo.com | udp |
| N/A | 204.11.56.48:80 | www.funrepo.com | tcp |
| N/A | 8.8.8.8:53 | www.unitech-usa.com | udp |
| N/A | 8.8.8.8:53 | www.memecourse.com | udp |
| N/A | 8.8.8.8:53 | www.hoochai.com | udp |
| N/A | 146.148.237.179:80 | www.hoochai.com | tcp |
| N/A | 8.8.8.8:53 | www.foodmetaverse.tech | udp |
| N/A | 8.8.8.8:53 | www.auskunfton.com | udp |
| N/A | 192.64.115.133:80 | www.auskunfton.com | tcp |
| N/A | 8.8.8.8:53 | www.sqlite.org | udp |
| N/A | 45.33.6.223:80 | www.sqlite.org | tcp |
| N/A | 8.8.8.8:53 | www.wellnessjourney1.net | udp |
| N/A | 3.13.31.214:80 | www.wellnessjourney1.net | tcp |
| N/A | 8.8.8.8:53 | www.suasemocoes.com | udp |
| N/A | 104.21.85.152:80 | www.suasemocoes.com | tcp |
| N/A | 8.8.8.8:53 | www.dental-implants-41664.com | udp |
| N/A | 185.53.179.92:80 | www.dental-implants-41664.com | tcp |
| N/A | 8.8.8.8:53 | www.trainingwithtonya.com | udp |
| N/A | 8.8.8.8:53 | www.majorcaplanetary.com | udp |
| N/A | 103.178.175.19:80 | www.majorcaplanetary.com | tcp |
| N/A | 8.8.8.8:53 | www.nft1.digital | udp |
| N/A | 185.28.21.205:80 | www.nft1.digital | tcp |
| N/A | 8.8.8.8:53 | www.naturbransle.com | udp |
| N/A | 99.83.154.118:80 | www.naturbransle.com | tcp |
| N/A | 8.8.8.8:53 | www.theconferencearena-46.net | udp |
| N/A | 99.83.154.118:80 | www.naturbransle.com | tcp |
Files
memory/1524-54-0x0000000075B51000-0x0000000075B53000-memory.dmp
\Users\Admin\AppData\Local\Temp\rlgffyq.exe
| MD5 | 44a7bf46a9c01d3e0486c93767b6cc0f |
| SHA1 | 3cc13566319f0d73f4931a101799862907cd361d |
| SHA256 | b016acfefe7a25f43ec9f9e89bff4d03ea9470941e283b10599acb6769cf76b9 |
| SHA512 | e36053cba4c316a26a72857959c12db9813f1c1187c03d2ecfb545fb54fde6286302054b353a6aead3bb15429ffb6bc2d1bee68cb65cf8df7c0994ff3ffe0602 |
memory/1472-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe
| MD5 | 44a7bf46a9c01d3e0486c93767b6cc0f |
| SHA1 | 3cc13566319f0d73f4931a101799862907cd361d |
| SHA256 | b016acfefe7a25f43ec9f9e89bff4d03ea9470941e283b10599acb6769cf76b9 |
| SHA512 | e36053cba4c316a26a72857959c12db9813f1c1187c03d2ecfb545fb54fde6286302054b353a6aead3bb15429ffb6bc2d1bee68cb65cf8df7c0994ff3ffe0602 |
C:\Users\Admin\AppData\Local\Temp\mewbf.gv
| MD5 | 3c244d8bf6174dbc41727abc9ece7acf |
| SHA1 | 797f05cbef6c579880841488a2ef85a8064db9fa |
| SHA256 | fa3e5994908aed3ee28a15d4f45f396603fd9026db11a342a90c590f5d48a85b |
| SHA512 | 93030940192dcbe0e83895c89de7d57998199fdd6dc71d4dd76d62b2fbadff9aa2a43aea5797bc3d1b17afeda64104a202bde6255647f04a6cb42b8f5282b253 |
C:\Users\Admin\AppData\Local\Temp\zkoclolbinv.obd
| MD5 | 7ae7dcc7e63caee1fd3da08154fa103d |
| SHA1 | c2c152ce21732ad9be3c06d28de2aa28340a095a |
| SHA256 | 5395f4b1e2cdd4ab2cc06957df8e8f4264cfea3fbd7e6970ab9e9a6f0ff2d58b |
| SHA512 | c707b92084a8bde6c11bfa36519389c017cda33b8e1223a116e3055549d7c713f05d16113f739e466c9d3d03dbc8b32058eee43c3caace8e8a6ab4adfb6c232b |
\Users\Admin\AppData\Local\Temp\rlgffyq.exe
| MD5 | 44a7bf46a9c01d3e0486c93767b6cc0f |
| SHA1 | 3cc13566319f0d73f4931a101799862907cd361d |
| SHA256 | b016acfefe7a25f43ec9f9e89bff4d03ea9470941e283b10599acb6769cf76b9 |
| SHA512 | e36053cba4c316a26a72857959c12db9813f1c1187c03d2ecfb545fb54fde6286302054b353a6aead3bb15429ffb6bc2d1bee68cb65cf8df7c0994ff3ffe0602 |
C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe
| MD5 | 44a7bf46a9c01d3e0486c93767b6cc0f |
| SHA1 | 3cc13566319f0d73f4931a101799862907cd361d |
| SHA256 | b016acfefe7a25f43ec9f9e89bff4d03ea9470941e283b10599acb6769cf76b9 |
| SHA512 | e36053cba4c316a26a72857959c12db9813f1c1187c03d2ecfb545fb54fde6286302054b353a6aead3bb15429ffb6bc2d1bee68cb65cf8df7c0994ff3ffe0602 |
C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe
| MD5 | 44a7bf46a9c01d3e0486c93767b6cc0f |
| SHA1 | 3cc13566319f0d73f4931a101799862907cd361d |
| SHA256 | b016acfefe7a25f43ec9f9e89bff4d03ea9470941e283b10599acb6769cf76b9 |
| SHA512 | e36053cba4c316a26a72857959c12db9813f1c1187c03d2ecfb545fb54fde6286302054b353a6aead3bb15429ffb6bc2d1bee68cb65cf8df7c0994ff3ffe0602 |
memory/1112-62-0x0000000000420000-mapping.dmp
memory/1112-64-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1112-65-0x0000000000850000-0x0000000000B53000-memory.dmp
memory/1112-66-0x00000000002C0000-0x00000000002D1000-memory.dmp
memory/1360-67-0x0000000004920000-0x0000000004A64000-memory.dmp
memory/1112-68-0x0000000000330000-0x0000000000341000-memory.dmp
memory/1360-69-0x0000000004D40000-0x0000000004DF1000-memory.dmp
memory/1112-71-0x0000000000400000-0x000000000042C000-memory.dmp
memory/844-70-0x0000000000000000-mapping.dmp
memory/1320-72-0x0000000000000000-mapping.dmp
memory/844-73-0x00000000009A0000-0x00000000009BB000-memory.dmp
memory/844-74-0x00000000001C0000-0x00000000001EC000-memory.dmp
memory/844-75-0x0000000001F50000-0x0000000002253000-memory.dmp
memory/844-76-0x0000000002260000-0x00000000022F0000-memory.dmp
memory/1360-77-0x0000000006430000-0x000000000651C000-memory.dmp
memory/844-78-0x00000000001C0000-0x00000000001EC000-memory.dmp
memory/1360-79-0x0000000006430000-0x000000000651C000-memory.dmp
memory/1636-81-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Gmtqhbpj\help6ldhghf.exe
| MD5 | 44a7bf46a9c01d3e0486c93767b6cc0f |
| SHA1 | 3cc13566319f0d73f4931a101799862907cd361d |
| SHA256 | b016acfefe7a25f43ec9f9e89bff4d03ea9470941e283b10599acb6769cf76b9 |
| SHA512 | e36053cba4c316a26a72857959c12db9813f1c1187c03d2ecfb545fb54fde6286302054b353a6aead3bb15429ffb6bc2d1bee68cb65cf8df7c0994ff3ffe0602 |
memory/1804-84-0x0000000000000000-mapping.dmp
\Program Files (x86)\Gmtqhbpj\help6ldhghf.exe
| MD5 | 44a7bf46a9c01d3e0486c93767b6cc0f |
| SHA1 | 3cc13566319f0d73f4931a101799862907cd361d |
| SHA256 | b016acfefe7a25f43ec9f9e89bff4d03ea9470941e283b10599acb6769cf76b9 |
| SHA512 | e36053cba4c316a26a72857959c12db9813f1c1187c03d2ecfb545fb54fde6286302054b353a6aead3bb15429ffb6bc2d1bee68cb65cf8df7c0994ff3ffe0602 |
\Program Files (x86)\Gmtqhbpj\help6ldhghf.exe
| MD5 | 44a7bf46a9c01d3e0486c93767b6cc0f |
| SHA1 | 3cc13566319f0d73f4931a101799862907cd361d |
| SHA256 | b016acfefe7a25f43ec9f9e89bff4d03ea9470941e283b10599acb6769cf76b9 |
| SHA512 | e36053cba4c316a26a72857959c12db9813f1c1187c03d2ecfb545fb54fde6286302054b353a6aead3bb15429ffb6bc2d1bee68cb65cf8df7c0994ff3ffe0602 |
\Program Files (x86)\Gmtqhbpj\help6ldhghf.exe
| MD5 | 44a7bf46a9c01d3e0486c93767b6cc0f |
| SHA1 | 3cc13566319f0d73f4931a101799862907cd361d |
| SHA256 | b016acfefe7a25f43ec9f9e89bff4d03ea9470941e283b10599acb6769cf76b9 |
| SHA512 | e36053cba4c316a26a72857959c12db9813f1c1187c03d2ecfb545fb54fde6286302054b353a6aead3bb15429ffb6bc2d1bee68cb65cf8df7c0994ff3ffe0602 |
\Program Files (x86)\Gmtqhbpj\help6ldhghf.exe
| MD5 | 44a7bf46a9c01d3e0486c93767b6cc0f |
| SHA1 | 3cc13566319f0d73f4931a101799862907cd361d |
| SHA256 | b016acfefe7a25f43ec9f9e89bff4d03ea9470941e283b10599acb6769cf76b9 |
| SHA512 | e36053cba4c316a26a72857959c12db9813f1c1187c03d2ecfb545fb54fde6286302054b353a6aead3bb15429ffb6bc2d1bee68cb65cf8df7c0994ff3ffe0602 |
C:\Program Files (x86)\Gmtqhbpj\help6ldhghf.exe
| MD5 | 44a7bf46a9c01d3e0486c93767b6cc0f |
| SHA1 | 3cc13566319f0d73f4931a101799862907cd361d |
| SHA256 | b016acfefe7a25f43ec9f9e89bff4d03ea9470941e283b10599acb6769cf76b9 |
| SHA512 | e36053cba4c316a26a72857959c12db9813f1c1187c03d2ecfb545fb54fde6286302054b353a6aead3bb15429ffb6bc2d1bee68cb65cf8df7c0994ff3ffe0602 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-26 10:45
Reported
2023-01-26 10:47
Platform
win10v2004-20221111-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Formbook
Xloader
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\R6lkdfn9h\help_tbhil.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZLRDEFV0AV = "C:\\Program Files (x86)\\R6lkdfn9h\\help_tbhil.exe" | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4292 set thread context of 4268 | N/A | C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe | C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe |
| PID 4268 set thread context of 3052 | N/A | C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe | C:\Windows\Explorer.EXE |
| PID 1236 set thread context of 3052 | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | C:\Windows\Explorer.EXE |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\R6lkdfn9h | C:\Windows\Explorer.EXE | N/A |
| File created | C:\Program Files (x86)\R6lkdfn9h\help_tbhil.exe | C:\Windows\Explorer.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\R6lkdfn9h\help_tbhil.exe | C:\Windows\Explorer.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\R6lkdfn9h\help_tbhil.exe | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Program Files (x86)\R6lkdfn9h\help_tbhil.exe |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe
"C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe" C:\Users\Admin\AppData\Local\Temp\mewbf.gv
C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe
"C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe"
C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe"
C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
C:\Program Files (x86)\R6lkdfn9h\help_tbhil.exe
"C:\Program Files (x86)\R6lkdfn9h\help_tbhil.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 408 -ip 408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 340
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | www.ethoscoverage.com | udp |
| N/A | 66.96.160.134:80 | www.ethoscoverage.com | tcp |
| N/A | 8.8.8.8:53 | www.soulmates.icu | udp |
| N/A | 192.64.117.122:80 | www.soulmates.icu | tcp |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 8.238.20.126:80 | tcp | |
| N/A | 8.238.20.126:80 | tcp | |
| N/A | 8.238.20.126:80 | tcp | |
| N/A | 8.8.8.8:53 | www.majorcaplanetary.com | udp |
| N/A | 103.178.175.19:80 | www.majorcaplanetary.com | tcp |
| N/A | 13.69.109.131:443 | tcp | |
| N/A | 8.8.8.8:53 | www.calcomfcu.site | udp |
| N/A | 209.17.116.163:80 | www.calcomfcu.site | tcp |
| N/A | 8.8.8.8:53 | www.memecourse.com | udp |
| N/A | 8.238.20.126:80 | tcp | |
| N/A | 8.238.20.126:80 | tcp | |
| N/A | 8.238.20.126:80 | tcp | |
| N/A | 8.8.8.8:53 | www.sahanetatil.com | udp |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 8.8.8.8:53 | www.qgqfsfaml.online | udp |
| N/A | 8.8.8.8:53 | www.hitechjapan.online | udp |
| N/A | 8.8.8.8:53 | www.hungryjana.com | udp |
| N/A | 85.13.151.154:80 | www.hungryjana.com | tcp |
| N/A | 8.8.8.8:53 | www.suasemocoes.com | udp |
| N/A | 172.67.207.78:80 | www.suasemocoes.com | tcp |
| N/A | 8.8.8.8:53 | www.auskunfton.com | udp |
| N/A | 192.64.115.133:80 | www.auskunfton.com | tcp |
| N/A | 8.8.8.8:53 | www.getthedeals.net | udp |
| N/A | 54.147.165.148:80 | www.getthedeals.net | tcp |
| N/A | 54.147.165.148:80 | www.getthedeals.net | tcp |
| N/A | 8.8.8.8:53 | www.bioabacus.com | udp |
| N/A | 216.58.214.19:80 | www.bioabacus.com | tcp |
| N/A | 216.58.214.19:80 | www.bioabacus.com | tcp |
| N/A | 8.8.8.8:53 | www.anmilpro.com | udp |
| N/A | 62.149.128.45:80 | www.anmilpro.com | tcp |
| N/A | 62.149.128.45:80 | www.anmilpro.com | tcp |
| N/A | 8.8.8.8:53 | www.oth6ykn9h4g.site | udp |
| N/A | 8.8.8.8:53 | www.xufluboa.com | udp |
| N/A | 134.209.225.136:80 | www.xufluboa.com | tcp |
| N/A | 8.8.8.8:53 | www.atrial-traitement.com | udp |
| N/A | 185.4.176.48:80 | www.atrial-traitement.com | tcp |
| N/A | 185.4.176.48:80 | www.atrial-traitement.com | tcp |
| N/A | 8.8.8.8:53 | www.cc445588.com | udp |
| N/A | 156.235.210.188:80 | www.cc445588.com | tcp |
| N/A | 156.235.210.188:80 | www.cc445588.com | tcp |
| N/A | 8.8.8.8:53 | www.electriccars-gr-2022.life | udp |
| N/A | 34.102.136.180:80 | www.electriccars-gr-2022.life | tcp |
| N/A | 34.102.136.180:80 | www.electriccars-gr-2022.life | tcp |
| N/A | 8.8.8.8:53 | www.unitech-usa.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe
| MD5 | 44a7bf46a9c01d3e0486c93767b6cc0f |
| SHA1 | 3cc13566319f0d73f4931a101799862907cd361d |
| SHA256 | b016acfefe7a25f43ec9f9e89bff4d03ea9470941e283b10599acb6769cf76b9 |
| SHA512 | e36053cba4c316a26a72857959c12db9813f1c1187c03d2ecfb545fb54fde6286302054b353a6aead3bb15429ffb6bc2d1bee68cb65cf8df7c0994ff3ffe0602 |
memory/4292-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe
| MD5 | 44a7bf46a9c01d3e0486c93767b6cc0f |
| SHA1 | 3cc13566319f0d73f4931a101799862907cd361d |
| SHA256 | b016acfefe7a25f43ec9f9e89bff4d03ea9470941e283b10599acb6769cf76b9 |
| SHA512 | e36053cba4c316a26a72857959c12db9813f1c1187c03d2ecfb545fb54fde6286302054b353a6aead3bb15429ffb6bc2d1bee68cb65cf8df7c0994ff3ffe0602 |
C:\Users\Admin\AppData\Local\Temp\mewbf.gv
| MD5 | 3c244d8bf6174dbc41727abc9ece7acf |
| SHA1 | 797f05cbef6c579880841488a2ef85a8064db9fa |
| SHA256 | fa3e5994908aed3ee28a15d4f45f396603fd9026db11a342a90c590f5d48a85b |
| SHA512 | 93030940192dcbe0e83895c89de7d57998199fdd6dc71d4dd76d62b2fbadff9aa2a43aea5797bc3d1b17afeda64104a202bde6255647f04a6cb42b8f5282b253 |
C:\Users\Admin\AppData\Local\Temp\zkoclolbinv.obd
| MD5 | 7ae7dcc7e63caee1fd3da08154fa103d |
| SHA1 | c2c152ce21732ad9be3c06d28de2aa28340a095a |
| SHA256 | 5395f4b1e2cdd4ab2cc06957df8e8f4264cfea3fbd7e6970ab9e9a6f0ff2d58b |
| SHA512 | c707b92084a8bde6c11bfa36519389c017cda33b8e1223a116e3055549d7c713f05d16113f739e466c9d3d03dbc8b32058eee43c3caace8e8a6ab4adfb6c232b |
memory/4268-137-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\rlgffyq.exe
| MD5 | 44a7bf46a9c01d3e0486c93767b6cc0f |
| SHA1 | 3cc13566319f0d73f4931a101799862907cd361d |
| SHA256 | b016acfefe7a25f43ec9f9e89bff4d03ea9470941e283b10599acb6769cf76b9 |
| SHA512 | e36053cba4c316a26a72857959c12db9813f1c1187c03d2ecfb545fb54fde6286302054b353a6aead3bb15429ffb6bc2d1bee68cb65cf8df7c0994ff3ffe0602 |
memory/4268-139-0x0000000000400000-0x000000000042C000-memory.dmp
memory/4268-140-0x0000000000A20000-0x0000000000D6A000-memory.dmp
memory/4268-141-0x00000000008E0000-0x00000000008F1000-memory.dmp
memory/3052-142-0x0000000002890000-0x000000000297A000-memory.dmp
memory/1236-143-0x0000000000000000-mapping.dmp
memory/2324-144-0x0000000000000000-mapping.dmp
memory/1236-146-0x00000000012D0000-0x00000000012FC000-memory.dmp
memory/1236-145-0x00000000004D0000-0x00000000004DB000-memory.dmp
memory/1236-147-0x0000000001B10000-0x0000000001E5A000-memory.dmp
memory/1236-148-0x00000000012D0000-0x00000000012FC000-memory.dmp
memory/1236-149-0x00000000018A0000-0x0000000001930000-memory.dmp
memory/3052-150-0x0000000007C10000-0x0000000007CD8000-memory.dmp
memory/3052-151-0x0000000007C10000-0x0000000007CD8000-memory.dmp
memory/4628-152-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DB1
| MD5 | b608d407fc15adea97c26936bc6f03f6 |
| SHA1 | 953e7420801c76393902c0d6bb56148947e41571 |
| SHA256 | b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf |
| SHA512 | cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4 |
memory/1720-154-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DB1
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
memory/408-156-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\R6lkdfn9h\help_tbhil.exe
| MD5 | 44a7bf46a9c01d3e0486c93767b6cc0f |
| SHA1 | 3cc13566319f0d73f4931a101799862907cd361d |
| SHA256 | b016acfefe7a25f43ec9f9e89bff4d03ea9470941e283b10599acb6769cf76b9 |
| SHA512 | e36053cba4c316a26a72857959c12db9813f1c1187c03d2ecfb545fb54fde6286302054b353a6aead3bb15429ffb6bc2d1bee68cb65cf8df7c0994ff3ffe0602 |
C:\Program Files (x86)\R6lkdfn9h\help_tbhil.exe
| MD5 | 44a7bf46a9c01d3e0486c93767b6cc0f |
| SHA1 | 3cc13566319f0d73f4931a101799862907cd361d |
| SHA256 | b016acfefe7a25f43ec9f9e89bff4d03ea9470941e283b10599acb6769cf76b9 |
| SHA512 | e36053cba4c316a26a72857959c12db9813f1c1187c03d2ecfb545fb54fde6286302054b353a6aead3bb15429ffb6bc2d1bee68cb65cf8df7c0994ff3ffe0602 |