Malware Analysis Report

2025-08-05 12:42

Sample ID 230828-t9gcesda45
Target 4fd32aa955aa9bd3a33ca8771445822be3b55d53e04d5e6fa40b0cbaa354bf68
SHA256 4fd32aa955aa9bd3a33ca8771445822be3b55d53e04d5e6fa40b0cbaa354bf68
Tags
gh0strat purplefox rat rootkit trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4fd32aa955aa9bd3a33ca8771445822be3b55d53e04d5e6fa40b0cbaa354bf68

Threat Level: Known bad

The file 4fd32aa955aa9bd3a33ca8771445822be3b55d53e04d5e6fa40b0cbaa354bf68 was found to be: Known bad.

Malicious Activity Summary

gh0strat purplefox rat rootkit trojan upx

PurpleFox

Gh0st RAT payload

Gh0strat

Detect PurpleFox Rootkit

UPX packed file

Loads dropped DLL

Executes dropped EXE

Deletes itself

Enumerates connected drives

Drops file in Program Files directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-28 16:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-28 16:45

Reported

2023-08-28 16:47

Platform

win7-20230712-en

Max time kernel

142s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4fd32aa955aa9bd3a33ca8771445822be3b55d53e04d5e6fa40b0cbaa354bf68.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\Jqiyq.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\L: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\P: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\R: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\W: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\Z: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\M: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\Q: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\S: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\T: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\U: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\V: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\B: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\E: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\I: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\J: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\N: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\O: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\H: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\K: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\X: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\Y: C:\Program Files\Jqiyq.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Jqiyq.exe C:\Users\Admin\AppData\Local\Temp\4fd32aa955aa9bd3a33ca8771445822be3b55d53e04d5e6fa40b0cbaa354bf68.exe N/A
File opened for modification C:\Program Files\Jqiyq.exe C:\Users\Admin\AppData\Local\Temp\4fd32aa955aa9bd3a33ca8771445822be3b55d53e04d5e6fa40b0cbaa354bf68.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum C:\Program Files\Jqiyq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Program Files\Jqiyq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Program Files\Jqiyq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Program Files\Jqiyq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum C:\Program Files\Jqiyq.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" C:\Program Files\Jqiyq.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fd32aa955aa9bd3a33ca8771445822be3b55d53e04d5e6fa40b0cbaa354bf68.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4fd32aa955aa9bd3a33ca8771445822be3b55d53e04d5e6fa40b0cbaa354bf68.exe

"C:\Users\Admin\AppData\Local\Temp\4fd32aa955aa9bd3a33ca8771445822be3b55d53e04d5e6fa40b0cbaa354bf68.exe"

C:\Program Files\Jqiyq.exe

"C:\Program Files\Jqiyq.exe" -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\4FD32A~1.EXE > nul

C:\Program Files\Jqiyq.exe

"C:\Program Files\Jqiyq.exe" -acsi

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 yuankonglyx.e3.luyouxia.net udp
US 8.8.8.8:53 free.whatareyoudo.top udp
US 8.8.8.8:53 yuankonglyx.e3.luyouxia.net udp
CN 123.99.198.130:13308 yuankonglyx.e3.luyouxia.net tcp
CN 123.99.198.130:13308 yuankonglyx.e3.luyouxia.net tcp
US 8.8.8.8:53 yuankonglyx.e3.luyouxia.net udp
CN 183.131.85.25:13308 yuankonglyx.e3.luyouxia.net tcp
CN 183.131.85.25:13308 yuankonglyx.e3.luyouxia.net tcp

Files

memory/2908-0-0x0000000010000000-0x00000000101D0000-memory.dmp

memory/2908-2-0x0000000010000000-0x00000000101D0000-memory.dmp

memory/2908-3-0x0000000010000000-0x00000000101D0000-memory.dmp

memory/2908-4-0x0000000010000000-0x00000000101D0000-memory.dmp

memory/2908-5-0x0000000010000000-0x00000000101D0000-memory.dmp

C:\Program Files\Jqiyq.exe

MD5 3bdd413553f7cf7a568a35531a3416b7
SHA1 0f8fa257444824115d554c40afbb9727927a8402
SHA256 9cafb943a483e5e5699821cac8e11cfe0db0bbf9086cb6fbd4f69afc69af5686
SHA512 e5d2ec3d82129789b08370ef016df00879df0a90b43cac180224f880f80adaa5e6f6d1b2e8e3c18a5368259730f522bd9874f803e2ea14acb94449d4ffc486d0

memory/2908-11-0x0000000010000000-0x00000000101D0000-memory.dmp

memory/2936-16-0x0000000010000000-0x00000000101D0000-memory.dmp

memory/2936-17-0x0000000010000000-0x00000000101D0000-memory.dmp

C:\Program Files\Jqiyq.exe

MD5 3bdd413553f7cf7a568a35531a3416b7
SHA1 0f8fa257444824115d554c40afbb9727927a8402
SHA256 9cafb943a483e5e5699821cac8e11cfe0db0bbf9086cb6fbd4f69afc69af5686
SHA512 e5d2ec3d82129789b08370ef016df00879df0a90b43cac180224f880f80adaa5e6f6d1b2e8e3c18a5368259730f522bd9874f803e2ea14acb94449d4ffc486d0

C:\Program Files\Jqiyq.exe

MD5 3bdd413553f7cf7a568a35531a3416b7
SHA1 0f8fa257444824115d554c40afbb9727927a8402
SHA256 9cafb943a483e5e5699821cac8e11cfe0db0bbf9086cb6fbd4f69afc69af5686
SHA512 e5d2ec3d82129789b08370ef016df00879df0a90b43cac180224f880f80adaa5e6f6d1b2e8e3c18a5368259730f522bd9874f803e2ea14acb94449d4ffc486d0

\Program Files\Jqiyq.exe

MD5 3bdd413553f7cf7a568a35531a3416b7
SHA1 0f8fa257444824115d554c40afbb9727927a8402
SHA256 9cafb943a483e5e5699821cac8e11cfe0db0bbf9086cb6fbd4f69afc69af5686
SHA512 e5d2ec3d82129789b08370ef016df00879df0a90b43cac180224f880f80adaa5e6f6d1b2e8e3c18a5368259730f522bd9874f803e2ea14acb94449d4ffc486d0

memory/2936-23-0x0000000010000000-0x00000000101D0000-memory.dmp

memory/2852-26-0x0000000010000000-0x00000000101D0000-memory.dmp

memory/2852-27-0x0000000010000000-0x00000000101D0000-memory.dmp

memory/2852-31-0x0000000010000000-0x00000000101D0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-28 16:45

Reported

2023-08-28 16:48

Platform

win10v2004-20230703-en

Max time kernel

141s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4fd32aa955aa9bd3a33ca8771445822be3b55d53e04d5e6fa40b0cbaa354bf68.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\L: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\P: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\V: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\K: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\U: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\X: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\G: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\J: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\N: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\T: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\W: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\Q: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\R: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\S: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\E: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\H: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\I: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\M: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\O: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\Y: C:\Program Files\Jqiyq.exe N/A
File opened (read-only) \??\Z: C:\Program Files\Jqiyq.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Jqiyq.exe C:\Users\Admin\AppData\Local\Temp\4fd32aa955aa9bd3a33ca8771445822be3b55d53e04d5e6fa40b0cbaa354bf68.exe N/A
File opened for modification C:\Program Files\Jqiyq.exe C:\Users\Admin\AppData\Local\Temp\4fd32aa955aa9bd3a33ca8771445822be3b55d53e04d5e6fa40b0cbaa354bf68.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Program Files\Jqiyq.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" C:\Program Files\Jqiyq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum C:\Program Files\Jqiyq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Program Files\Jqiyq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Program Files\Jqiyq.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A
N/A N/A C:\Program Files\Jqiyq.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4fd32aa955aa9bd3a33ca8771445822be3b55d53e04d5e6fa40b0cbaa354bf68.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4fd32aa955aa9bd3a33ca8771445822be3b55d53e04d5e6fa40b0cbaa354bf68.exe

"C:\Users\Admin\AppData\Local\Temp\4fd32aa955aa9bd3a33ca8771445822be3b55d53e04d5e6fa40b0cbaa354bf68.exe"

C:\Program Files\Jqiyq.exe

"C:\Program Files\Jqiyq.exe" -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\4FD32A~1.EXE > nul

C:\Program Files\Jqiyq.exe

"C:\Program Files\Jqiyq.exe" -acsi

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 254.154.241.8.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 yuankonglyx.e3.luyouxia.net udp
US 8.8.8.8:53 free.whatareyoudo.top udp
CN 124.248.67.83:13308 yuankonglyx.e3.luyouxia.net tcp
US 8.8.8.8:53 83.67.248.124.in-addr.arpa udp
CN 124.248.67.83:13308 yuankonglyx.e3.luyouxia.net tcp
US 8.8.8.8:53 free.whatareyoudo.top udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 free.whatareyoudo.top udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 yuankonglyx.e3.luyouxia.net udp
CN 123.99.198.130:13308 yuankonglyx.e3.luyouxia.net tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
CN 123.99.198.130:13308 yuankonglyx.e3.luyouxia.net tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 free.whatareyoudo.top udp
US 8.8.8.8:53 free.whatareyoudo.top udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 yuankonglyx.e3.luyouxia.net udp
CN 123.99.198.130:13308 yuankonglyx.e3.luyouxia.net tcp
US 8.8.8.8:53 free.whatareyoudo.top udp
US 8.8.8.8:53 free.whatareyoudo.top udp
CN 123.99.198.130:13308 yuankonglyx.e3.luyouxia.net tcp
CN 123.99.198.130:13308 yuankonglyx.e3.luyouxia.net tcp
US 8.8.8.8:53 free.whatareyoudo.top udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

memory/372-0-0x0000000010000000-0x00000000101D0000-memory.dmp

memory/372-5-0x0000000010000000-0x00000000101D0000-memory.dmp

memory/372-4-0x0000000010000000-0x00000000101D0000-memory.dmp

memory/372-3-0x0000000010000000-0x00000000101D0000-memory.dmp

memory/372-6-0x0000000010000000-0x00000000101D0000-memory.dmp

C:\Program Files\Jqiyq.exe

MD5 3bdd413553f7cf7a568a35531a3416b7
SHA1 0f8fa257444824115d554c40afbb9727927a8402
SHA256 9cafb943a483e5e5699821cac8e11cfe0db0bbf9086cb6fbd4f69afc69af5686
SHA512 e5d2ec3d82129789b08370ef016df00879df0a90b43cac180224f880f80adaa5e6f6d1b2e8e3c18a5368259730f522bd9874f803e2ea14acb94449d4ffc486d0

C:\Program Files\Jqiyq.exe

MD5 3bdd413553f7cf7a568a35531a3416b7
SHA1 0f8fa257444824115d554c40afbb9727927a8402
SHA256 9cafb943a483e5e5699821cac8e11cfe0db0bbf9086cb6fbd4f69afc69af5686
SHA512 e5d2ec3d82129789b08370ef016df00879df0a90b43cac180224f880f80adaa5e6f6d1b2e8e3c18a5368259730f522bd9874f803e2ea14acb94449d4ffc486d0

memory/1796-12-0x0000000010000000-0x00000000101D0000-memory.dmp

memory/1796-15-0x0000000010000000-0x00000000101D0000-memory.dmp

memory/1796-16-0x0000000010000000-0x00000000101D0000-memory.dmp

memory/1796-17-0x0000000010000000-0x00000000101D0000-memory.dmp

memory/1796-14-0x0000000010000000-0x00000000101D0000-memory.dmp

memory/1796-18-0x0000000010000000-0x00000000101D0000-memory.dmp

memory/372-19-0x0000000010000000-0x00000000101D0000-memory.dmp

C:\Program Files\Jqiyq.exe

MD5 3bdd413553f7cf7a568a35531a3416b7
SHA1 0f8fa257444824115d554c40afbb9727927a8402
SHA256 9cafb943a483e5e5699821cac8e11cfe0db0bbf9086cb6fbd4f69afc69af5686
SHA512 e5d2ec3d82129789b08370ef016df00879df0a90b43cac180224f880f80adaa5e6f6d1b2e8e3c18a5368259730f522bd9874f803e2ea14acb94449d4ffc486d0

memory/1796-23-0x0000000010000000-0x00000000101D0000-memory.dmp

memory/4688-26-0x0000000010000000-0x00000000101D0000-memory.dmp

memory/4688-27-0x0000000010000000-0x00000000101D0000-memory.dmp

memory/4688-31-0x0000000010000000-0x00000000101D0000-memory.dmp

memory/4688-32-0x0000000010000000-0x00000000101D0000-memory.dmp