Malware Analysis Report

2025-06-16 05:12

Sample ID 230127-fajfvagd93
Target c5edcf43ecc797a13c565d436c6a541c.exe
SHA256 d8e71f4f6c001ff40cdc03fff232d097a103a4413b8e74ecb9a333b8a2d6a436
Tags
formbook xloader poub loader persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d8e71f4f6c001ff40cdc03fff232d097a103a4413b8e74ecb9a333b8a2d6a436

Threat Level: Known bad

The file c5edcf43ecc797a13c565d436c6a541c.exe was found to be: Known bad.

Malicious Activity Summary

formbook xloader poub loader persistence rat spyware stealer trojan

Xloader

Formbook

Xloader payload

Adds policy Run key to start application

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-27 04:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-27 04:40

Reported

2023-01-27 04:42

Platform

win7-20221111-en

Max time kernel

147s

Max time network

148s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Xloader

loader xloader

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\raserver.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\JPMXV4SH940 = "C:\\Program Files (x86)\\M-z_\\gdiyhl0vfnh.exe" C:\Windows\SysWOW64\raserver.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1444 set thread context of 1472 N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
PID 1472 set thread context of 1260 N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe C:\Windows\Explorer.EXE
PID 1180 set thread context of 1260 N/A C:\Windows\SysWOW64\raserver.exe C:\Windows\Explorer.EXE

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\M-z_\gdiyhl0vfnh.exe C:\Windows\SysWOW64\raserver.exe N/A
File created C:\Program Files (x86)\M-z_\gdiyhl0vfnh.exe C:\Windows\Explorer.EXE N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\M-z_\gdiyhl0vfnh.exe

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\raserver.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\raserver.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1584 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\c5edcf43ecc797a13c565d436c6a541c.exe C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
PID 1584 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\c5edcf43ecc797a13c565d436c6a541c.exe C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
PID 1584 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\c5edcf43ecc797a13c565d436c6a541c.exe C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
PID 1584 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\c5edcf43ecc797a13c565d436c6a541c.exe C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
PID 1444 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
PID 1444 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
PID 1444 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
PID 1444 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
PID 1444 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
PID 1260 wrote to memory of 1180 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\raserver.exe
PID 1260 wrote to memory of 1180 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\raserver.exe
PID 1260 wrote to memory of 1180 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\raserver.exe
PID 1260 wrote to memory of 1180 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\raserver.exe
PID 1180 wrote to memory of 1564 N/A C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1564 N/A C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1564 N/A C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 1564 N/A C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 364 N/A C:\Windows\SysWOW64\raserver.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1180 wrote to memory of 364 N/A C:\Windows\SysWOW64\raserver.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1180 wrote to memory of 364 N/A C:\Windows\SysWOW64\raserver.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1180 wrote to memory of 364 N/A C:\Windows\SysWOW64\raserver.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1180 wrote to memory of 364 N/A C:\Windows\SysWOW64\raserver.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1260 wrote to memory of 1104 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\M-z_\gdiyhl0vfnh.exe
PID 1260 wrote to memory of 1104 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\M-z_\gdiyhl0vfnh.exe
PID 1260 wrote to memory of 1104 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\M-z_\gdiyhl0vfnh.exe
PID 1260 wrote to memory of 1104 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\M-z_\gdiyhl0vfnh.exe
PID 1104 wrote to memory of 952 N/A C:\Program Files (x86)\M-z_\gdiyhl0vfnh.exe C:\Windows\SysWOW64\WerFault.exe
PID 1104 wrote to memory of 952 N/A C:\Program Files (x86)\M-z_\gdiyhl0vfnh.exe C:\Windows\SysWOW64\WerFault.exe
PID 1104 wrote to memory of 952 N/A C:\Program Files (x86)\M-z_\gdiyhl0vfnh.exe C:\Windows\SysWOW64\WerFault.exe
PID 1104 wrote to memory of 952 N/A C:\Program Files (x86)\M-z_\gdiyhl0vfnh.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\c5edcf43ecc797a13c565d436c6a541c.exe

"C:\Users\Admin\AppData\Local\Temp\c5edcf43ecc797a13c565d436c6a541c.exe"

C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe

"C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe" C:\Users\Admin\AppData\Local\Temp\guiaopyy.j

C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe

"C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe"

C:\Windows\SysWOW64\raserver.exe

"C:\Windows\SysWOW64\raserver.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe"

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

C:\Program Files (x86)\M-z_\gdiyhl0vfnh.exe

"C:\Program Files (x86)\M-z_\gdiyhl0vfnh.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 216

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 www.kcgjz.top udp
N/A 188.114.97.0:80 www.kcgjz.top tcp
N/A 8.8.8.8:53 www.crusadia.net udp
N/A 212.192.29.71:80 www.crusadia.net tcp
N/A 8.8.8.8:53 www.unimeet.club udp
N/A 34.117.168.233:80 www.unimeet.club tcp
N/A 8.8.8.8:53 www.peiphitan.com udp
N/A 192.64.115.133:80 www.peiphitan.com tcp
N/A 8.8.8.8:53 www.sqlite.org udp
N/A 45.33.6.223:80 www.sqlite.org tcp
N/A 8.8.8.8:53 www.kuaixuan.xyz udp
N/A 3.64.163.50:80 www.kuaixuan.xyz tcp
N/A 8.8.8.8:53 www.niply.space udp
N/A 64.190.63.111:80 www.niply.space tcp
N/A 8.8.8.8:53 www.timbereasy.digital udp
N/A 8.8.8.8:53 www.494msc.com udp
N/A 134.73.53.13:80 www.494msc.com tcp
N/A 8.8.8.8:53 www.9844hh.com udp
N/A 154.215.156.2:80 www.9844hh.com tcp
N/A 8.8.8.8:53 www.w3bsports.club udp
N/A 34.102.136.180:80 www.w3bsports.club tcp
N/A 8.8.8.8:53 www.the83company.com udp
N/A 212.1.210.69:80 www.the83company.com tcp
N/A 8.8.8.8:53 www.midundao.net udp
N/A 172.247.35.173:80 www.midundao.net tcp
N/A 8.8.8.8:53 www.casakeysshoalbay.com udp
N/A 8.8.8.8:53 www.drzjup.space udp
N/A 172.255.33.179:80 www.drzjup.space tcp
N/A 8.8.8.8:53 www.nortonarmouriesfilm.com udp
N/A 172.67.154.28:80 www.nortonarmouriesfilm.com tcp
N/A 8.8.8.8:53 www.bekansas.com udp
N/A 8.8.8.8:53 www.gengutimeless.com udp
N/A 160.202.77.61:80 www.gengutimeless.com tcp

Files

memory/1584-54-0x0000000075491000-0x0000000075493000-memory.dmp

\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe

MD5 85af329a0a06c1401e60a9c02d060948
SHA1 d83acc707040401fe1d88570608e8e8f05589944
SHA256 79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512 f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe

MD5 85af329a0a06c1401e60a9c02d060948
SHA1 d83acc707040401fe1d88570608e8e8f05589944
SHA256 79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512 f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

memory/1444-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe

MD5 85af329a0a06c1401e60a9c02d060948
SHA1 d83acc707040401fe1d88570608e8e8f05589944
SHA256 79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512 f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

C:\Users\Admin\AppData\Local\Temp\guiaopyy.j

MD5 7dd82af1732e277c64b7f580fb68b3f8
SHA1 7f1cac07464b57d03eeba50d4371a6fbcaff1798
SHA256 237438a1c80ff20bb45e9a0b804322f2a3527f849bef2aaf406d18c189a44c0b
SHA512 0a675216d4e0a03165c3f3d11cd3d125b31624d93e4a901799b3066e691fc7dbf81aed86bea23e3167d230d880682c814b77e219f471ad770a43a28a1d496207

C:\Users\Admin\AppData\Local\Temp\lufvp.o

MD5 a69fcb977745da1e8892aed65f6a5a89
SHA1 32b35f70fc0d3686ea4ffc26f70c80a8ede70474
SHA256 108668a80bdff8cc56a95903d011d86410054cadbd4f52530a0ff9f4c0f0e24b
SHA512 21badfef569bfebcabf03ef5ab6061b4c723b241ccf69ff67ad5649ee1dda08b1bb99f43de0b43687841274356dafbe67a799c4cead6dd15309845c253e6a508

C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe

MD5 85af329a0a06c1401e60a9c02d060948
SHA1 d83acc707040401fe1d88570608e8e8f05589944
SHA256 79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512 f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe

MD5 85af329a0a06c1401e60a9c02d060948
SHA1 d83acc707040401fe1d88570608e8e8f05589944
SHA256 79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512 f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe

MD5 85af329a0a06c1401e60a9c02d060948
SHA1 d83acc707040401fe1d88570608e8e8f05589944
SHA256 79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512 f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

memory/1472-64-0x000000000041FF10-mapping.dmp

memory/1472-66-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1472-67-0x00000000008B0000-0x0000000000BB3000-memory.dmp

memory/1260-69-0x0000000006850000-0x00000000069A0000-memory.dmp

memory/1472-68-0x0000000000330000-0x0000000000341000-memory.dmp

memory/1180-70-0x0000000000000000-mapping.dmp

memory/1180-72-0x0000000000B00000-0x0000000000B1C000-memory.dmp

memory/1180-73-0x0000000000080000-0x00000000000AC000-memory.dmp

memory/1180-75-0x0000000001F20000-0x0000000002223000-memory.dmp

memory/1564-74-0x0000000000000000-mapping.dmp

memory/1260-77-0x0000000004BF0000-0x0000000004CAA000-memory.dmp

memory/1180-76-0x0000000000850000-0x00000000008E0000-memory.dmp

memory/1180-78-0x0000000000080000-0x00000000000AC000-memory.dmp

memory/1260-79-0x0000000004BF0000-0x0000000004CAA000-memory.dmp

memory/1104-80-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\M-z_\gdiyhl0vfnh.exe

MD5 85af329a0a06c1401e60a9c02d060948
SHA1 d83acc707040401fe1d88570608e8e8f05589944
SHA256 79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512 f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

memory/952-83-0x0000000000000000-mapping.dmp

\Program Files (x86)\M-z_\gdiyhl0vfnh.exe

MD5 85af329a0a06c1401e60a9c02d060948
SHA1 d83acc707040401fe1d88570608e8e8f05589944
SHA256 79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512 f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

\Program Files (x86)\M-z_\gdiyhl0vfnh.exe

MD5 85af329a0a06c1401e60a9c02d060948
SHA1 d83acc707040401fe1d88570608e8e8f05589944
SHA256 79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512 f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

\Program Files (x86)\M-z_\gdiyhl0vfnh.exe

MD5 85af329a0a06c1401e60a9c02d060948
SHA1 d83acc707040401fe1d88570608e8e8f05589944
SHA256 79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512 f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

\Program Files (x86)\M-z_\gdiyhl0vfnh.exe

MD5 85af329a0a06c1401e60a9c02d060948
SHA1 d83acc707040401fe1d88570608e8e8f05589944
SHA256 79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512 f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

C:\Program Files (x86)\M-z_\gdiyhl0vfnh.exe

MD5 85af329a0a06c1401e60a9c02d060948
SHA1 d83acc707040401fe1d88570608e8e8f05589944
SHA256 79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512 f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-27 04:40

Reported

2023-01-27 04:42

Platform

win10v2004-20221111-en

Max time kernel

148s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Xloader

loader xloader

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\help.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHUPDH-XEBMH = "C:\\Program Files (x86)\\T9r6hz\\gnhdhrr58.exe" C:\Windows\SysWOW64\help.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2676 set thread context of 1116 N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
PID 1116 set thread context of 2644 N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe C:\Windows\Explorer.EXE
PID 3528 set thread context of 2644 N/A C:\Windows\SysWOW64\help.exe C:\Windows\Explorer.EXE

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\T9r6hz\gnhdhrr58.exe C:\Windows\SysWOW64\help.exe N/A
File opened for modification C:\Program Files (x86)\T9r6hz C:\Windows\Explorer.EXE N/A
File created C:\Program Files (x86)\T9r6hz\gnhdhrr58.exe C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\T9r6hz\gnhdhrr58.exe C:\Windows\Explorer.EXE N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\T9r6hz\gnhdhrr58.exe

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\help.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A
N/A N/A C:\Windows\SysWOW64\help.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\help.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4580 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\c5edcf43ecc797a13c565d436c6a541c.exe C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
PID 4580 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\c5edcf43ecc797a13c565d436c6a541c.exe C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
PID 4580 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\c5edcf43ecc797a13c565d436c6a541c.exe C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
PID 2676 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
PID 2676 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
PID 2676 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
PID 2676 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe
PID 2644 wrote to memory of 3528 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\help.exe
PID 2644 wrote to memory of 3528 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\help.exe
PID 2644 wrote to memory of 3528 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\help.exe
PID 3528 wrote to memory of 3784 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 3528 wrote to memory of 3784 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 3528 wrote to memory of 3784 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 3528 wrote to memory of 2868 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 3528 wrote to memory of 2868 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 3528 wrote to memory of 2868 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 3528 wrote to memory of 2464 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 3528 wrote to memory of 2464 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 3528 wrote to memory of 2464 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 3528 wrote to memory of 480 N/A C:\Windows\SysWOW64\help.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 3528 wrote to memory of 480 N/A C:\Windows\SysWOW64\help.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 3528 wrote to memory of 480 N/A C:\Windows\SysWOW64\help.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 2644 wrote to memory of 3856 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\T9r6hz\gnhdhrr58.exe
PID 2644 wrote to memory of 3856 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\T9r6hz\gnhdhrr58.exe
PID 2644 wrote to memory of 3856 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\T9r6hz\gnhdhrr58.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\c5edcf43ecc797a13c565d436c6a541c.exe

"C:\Users\Admin\AppData\Local\Temp\c5edcf43ecc797a13c565d436c6a541c.exe"

C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe

"C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe" C:\Users\Admin\AppData\Local\Temp\guiaopyy.j

C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe

"C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe"

C:\Windows\SysWOW64\help.exe

"C:\Windows\SysWOW64\help.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe"

C:\Windows\SysWOW64\cmd.exe

/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V

C:\Windows\SysWOW64\cmd.exe

/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

C:\Program Files (x86)\T9r6hz\gnhdhrr58.exe

"C:\Program Files (x86)\T9r6hz\gnhdhrr58.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3856 -ip 3856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 508

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 www.drzjup.space udp
N/A 172.255.33.179:80 www.drzjup.space tcp
N/A 8.8.8.8:53 www.bayuerlangga.com udp
N/A 203.175.9.15:80 www.bayuerlangga.com tcp
N/A 8.8.8.8:53 www.agence-dragonne.com udp
N/A 153.127.67.174:80 www.agence-dragonne.com tcp
N/A 20.50.73.10:443 tcp
N/A 104.80.225.205:443 tcp
N/A 8.8.8.8:53 www.autarbazar.xyz udp
N/A 198.54.115.141:80 www.autarbazar.xyz tcp
N/A 8.8.8.8:53 www.gaymusclebigblackd.site udp
N/A 8.8.8.8:53 www.pmtj013.xyz udp
N/A 8.8.8.8:53 www.gengutimeless.com udp
N/A 160.202.77.61:80 www.gengutimeless.com tcp
N/A 8.8.8.8:53 www.kcgjz.top udp
N/A 188.114.97.0:80 www.kcgjz.top tcp
N/A 8.8.8.8:53 www.adcki-xenmk.com udp
N/A 8.8.8.8:53 www.tokyo-senshin.com udp
N/A 34.149.87.45:80 www.tokyo-senshin.com tcp
N/A 8.8.8.8:53 www.craftedinglass.com udp
N/A 185.199.220.38:80 www.craftedinglass.com tcp
N/A 8.8.8.8:53 www.jedim.xyz udp
N/A 104.21.85.204:80 www.jedim.xyz tcp
N/A 8.8.8.8:53 www.indumentaria.org udp
N/A 91.195.240.94:80 www.indumentaria.org tcp
N/A 8.8.8.8:53 www.peiphitan.com udp
N/A 192.64.115.133:80 www.peiphitan.com tcp
N/A 8.8.8.8:53 www.midundao.net udp
N/A 172.247.35.173:80 www.midundao.net tcp
N/A 172.247.35.173:80 www.midundao.net tcp
N/A 8.8.8.8:53 www.w3bsports.club udp
N/A 34.102.136.180:80 www.w3bsports.club tcp
N/A 8.8.8.8:53 www.cheapboden.com udp
N/A 104.21.35.28:80 www.cheapboden.com tcp
N/A 104.21.35.28:80 www.cheapboden.com tcp
N/A 8.8.8.8:53 www.bekansas.com udp
N/A 8.8.8.8:53 www.timbereasy.digital udp
N/A 8.8.8.8:53 www.hollandshirt.online udp
N/A 185.104.28.238:80 www.hollandshirt.online tcp
N/A 185.104.28.238:80 www.hollandshirt.online tcp
N/A 8.8.8.8:53 www.anglicanadebrasilia.com udp
N/A 149.62.37.97:80 www.anglicanadebrasilia.com tcp
N/A 149.62.37.97:80 www.anglicanadebrasilia.com tcp

Files

memory/2676-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe

MD5 85af329a0a06c1401e60a9c02d060948
SHA1 d83acc707040401fe1d88570608e8e8f05589944
SHA256 79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512 f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe

MD5 85af329a0a06c1401e60a9c02d060948
SHA1 d83acc707040401fe1d88570608e8e8f05589944
SHA256 79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512 f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

C:\Users\Admin\AppData\Local\Temp\guiaopyy.j

MD5 7dd82af1732e277c64b7f580fb68b3f8
SHA1 7f1cac07464b57d03eeba50d4371a6fbcaff1798
SHA256 237438a1c80ff20bb45e9a0b804322f2a3527f849bef2aaf406d18c189a44c0b
SHA512 0a675216d4e0a03165c3f3d11cd3d125b31624d93e4a901799b3066e691fc7dbf81aed86bea23e3167d230d880682c814b77e219f471ad770a43a28a1d496207

C:\Users\Admin\AppData\Local\Temp\lufvp.o

MD5 a69fcb977745da1e8892aed65f6a5a89
SHA1 32b35f70fc0d3686ea4ffc26f70c80a8ede70474
SHA256 108668a80bdff8cc56a95903d011d86410054cadbd4f52530a0ff9f4c0f0e24b
SHA512 21badfef569bfebcabf03ef5ab6061b4c723b241ccf69ff67ad5649ee1dda08b1bb99f43de0b43687841274356dafbe67a799c4cead6dd15309845c253e6a508

memory/1116-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\kyfhnzgx.exe

MD5 85af329a0a06c1401e60a9c02d060948
SHA1 d83acc707040401fe1d88570608e8e8f05589944
SHA256 79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512 f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

memory/1116-139-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1116-140-0x0000000000BD0000-0x0000000000F1A000-memory.dmp

memory/1116-141-0x00000000005B0000-0x00000000005C1000-memory.dmp

memory/2644-142-0x00000000030B0000-0x00000000031A5000-memory.dmp

memory/3528-143-0x0000000000000000-mapping.dmp

memory/3528-144-0x0000000000280000-0x0000000000287000-memory.dmp

memory/3528-145-0x0000000000FB0000-0x0000000000FDC000-memory.dmp

memory/3784-146-0x0000000000000000-mapping.dmp

memory/3528-147-0x0000000001880000-0x0000000001BCA000-memory.dmp

memory/3528-148-0x00000000016F0000-0x0000000001780000-memory.dmp

memory/2644-149-0x0000000008610000-0x000000000871A000-memory.dmp

memory/3528-150-0x0000000000FB0000-0x0000000000FDC000-memory.dmp

memory/2644-151-0x0000000008610000-0x000000000871A000-memory.dmp

memory/2868-152-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DB1

MD5 b608d407fc15adea97c26936bc6f03f6
SHA1 953e7420801c76393902c0d6bb56148947e41571
SHA256 b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512 cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

memory/2464-154-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DB1

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

memory/3856-156-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\T9r6hz\gnhdhrr58.exe

MD5 85af329a0a06c1401e60a9c02d060948
SHA1 d83acc707040401fe1d88570608e8e8f05589944
SHA256 79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512 f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66

C:\Program Files (x86)\T9r6hz\gnhdhrr58.exe

MD5 85af329a0a06c1401e60a9c02d060948
SHA1 d83acc707040401fe1d88570608e8e8f05589944
SHA256 79d7f5eafd50ad73831ca1706f15d0c5e4c49f1586c1c67d8e8d593615282e1d
SHA512 f13fd7090a6014f6920926fd38ce582fbd7c1a9a201ee5e97fc9731e5d7943f53bd43e0dd7fafcdb2b8004c48ec53144e41d754be814850c34dfa15e8ea69b66