Malware Analysis Report

2024-10-19 09:28

Sample ID 240715-qtpgbashpp
Target 15072024_1333_12072024_Ticket Receipt and Fine.rar
SHA256 199b27fd2960477373f8866cfe909c639e8a7393390e01de536356ac28d7c2d3
Tags
formbook gb29 rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

199b27fd2960477373f8866cfe909c639e8a7393390e01de536356ac28d7c2d3

Threat Level: Known bad

The file 15072024_1333_12072024_Ticket Receipt and Fine.rar was found to be: Known bad.

Malicious Activity Summary

formbook gb29 rat spyware stealer trojan

Formbook

Formbook payload

Blocklisted process makes network request

AutoIT Executable

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-15 13:33

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-15 13:33

Reported

2024-07-15 13:36

Platform

win7-20240705-en

Max time kernel

149s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2512 set thread context of 2352 N/A C:\Users\Admin\AppData\Local\Temp\Abu Dhabi Police Offenders Publishing Images WSAbuDhabi.exe C:\Windows\SysWOW64\svchost.exe
PID 2352 set thread context of 1216 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 1704 set thread context of 1216 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Windows\Explorer.EXE

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\cmmon32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\Abu Dhabi Police Offenders Publishing Images WSAbuDhabi.exe C:\Windows\SysWOW64\svchost.exe
PID 2512 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\Abu Dhabi Police Offenders Publishing Images WSAbuDhabi.exe C:\Windows\SysWOW64\svchost.exe
PID 2512 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\Abu Dhabi Police Offenders Publishing Images WSAbuDhabi.exe C:\Windows\SysWOW64\svchost.exe
PID 2512 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\Abu Dhabi Police Offenders Publishing Images WSAbuDhabi.exe C:\Windows\SysWOW64\svchost.exe
PID 2512 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\Abu Dhabi Police Offenders Publishing Images WSAbuDhabi.exe C:\Windows\SysWOW64\svchost.exe
PID 1216 wrote to memory of 1704 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmmon32.exe
PID 1216 wrote to memory of 1704 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmmon32.exe
PID 1216 wrote to memory of 1704 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmmon32.exe
PID 1216 wrote to memory of 1704 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmmon32.exe
PID 1704 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Abu Dhabi Police Offenders Publishing Images WSAbuDhabi.exe

"C:\Users\Admin\AppData\Local\Temp\Abu Dhabi Police Offenders Publishing Images WSAbuDhabi.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\Abu Dhabi Police Offenders Publishing Images WSAbuDhabi.exe"

C:\Windows\SysWOW64\cmmon32.exe

"C:\Windows\SysWOW64\cmmon32.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\SysWOW64\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.agstudio.website udp
RU 87.236.16.33:80 www.agstudio.website tcp
US 8.8.8.8:53 www.www25716.vip udp
US 74.120.170.132:80 www.www25716.vip tcp
US 8.8.8.8:53 www.deecentshop.xyz udp
US 8.8.8.8:53 www.fieldasarite.monster udp
US 167.71.93.25:80 www.fieldasarite.monster tcp
US 8.8.8.8:53 www.fieldasarite.monster udp
US 167.71.93.25:80 www.fieldasarite.monster tcp
US 8.8.8.8:53 www.yoursouthjerseylawyer.com udp
DE 91.195.240.19:80 www.yoursouthjerseylawyer.com tcp

Files

memory/2512-10-0x00000000000B0000-0x00000000000B4000-memory.dmp

memory/2352-11-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2352-15-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2352-14-0x0000000000220000-0x0000000000234000-memory.dmp

memory/2352-13-0x0000000000700000-0x0000000000A03000-memory.dmp

memory/1216-16-0x00000000064E0000-0x00000000065A9000-memory.dmp

memory/1704-18-0x0000000000A70000-0x0000000000A7D000-memory.dmp

memory/1704-17-0x0000000000A70000-0x0000000000A7D000-memory.dmp

memory/1704-19-0x0000000000080000-0x00000000000AF000-memory.dmp

memory/1216-22-0x00000000064E0000-0x00000000065A9000-memory.dmp

memory/1216-26-0x00000000065B0000-0x000000000669D000-memory.dmp

memory/1216-27-0x00000000065B0000-0x000000000669D000-memory.dmp

memory/1216-30-0x00000000065B0000-0x000000000669D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-15 13:33

Reported

2024-07-15 13:36

Platform

win10v2004-20240709-en

Max time kernel

147s

Max time network

147s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3068 set thread context of 5072 N/A C:\Users\Admin\AppData\Local\Temp\Abu Dhabi Police Offenders Publishing Images WSAbuDhabi.exe C:\Windows\SysWOW64\svchost.exe
PID 5072 set thread context of 3536 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 724 set thread context of 3536 N/A C:\Windows\SysWOW64\WWAHost.exe C:\Windows\Explorer.EXE

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WWAHost.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Abu Dhabi Police Offenders Publishing Images WSAbuDhabi.exe

"C:\Users\Admin\AppData\Local\Temp\Abu Dhabi Police Offenders Publishing Images WSAbuDhabi.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\Abu Dhabi Police Offenders Publishing Images WSAbuDhabi.exe"

C:\Windows\SysWOW64\WWAHost.exe

"C:\Windows\SysWOW64\WWAHost.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\SysWOW64\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 www.rsstationary.com udp
US 8.8.8.8:53 www.yoursouthjerseylawyer.com udp
DE 91.195.240.19:80 www.yoursouthjerseylawyer.com tcp
US 8.8.8.8:53 19.240.195.91.in-addr.arpa udp
US 8.8.8.8:53 www.7598812.com udp
US 172.67.190.217:80 www.7598812.com tcp
US 8.8.8.8:53 217.190.67.172.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.horebconstructioncorp.com udp
US 8.8.8.8:53 www.buses.life udp
US 103.224.212.216:80 www.buses.life tcp

Files

memory/3068-10-0x00000000014C0000-0x00000000014C4000-memory.dmp

memory/5072-11-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5072-12-0x0000000001B00000-0x0000000001E4A000-memory.dmp

memory/5072-15-0x0000000001FB0000-0x0000000001FC4000-memory.dmp

memory/5072-14-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3536-16-0x0000000008F50000-0x000000000908C000-memory.dmp

memory/724-17-0x0000000000290000-0x000000000036C000-memory.dmp

memory/724-19-0x0000000000290000-0x000000000036C000-memory.dmp

memory/724-20-0x00000000008E0000-0x000000000090F000-memory.dmp

memory/3536-22-0x0000000008F50000-0x000000000908C000-memory.dmp

memory/3536-25-0x00000000077E0000-0x00000000078BA000-memory.dmp

memory/3536-26-0x00000000077E0000-0x00000000078BA000-memory.dmp

memory/3536-29-0x00000000077E0000-0x00000000078BA000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-15 13:33

Reported

2024-07-15 13:36

Platform

win7-20240705-en

Max time kernel

148s

Max time network

153s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2696 set thread context of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Receipt-30927862-Ticket#0973726-Fines-19346383.exe C:\Windows\SysWOW64\svchost.exe
PID 2704 set thread context of 1232 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 2824 set thread context of 1232 N/A C:\Windows\SysWOW64\wlanext.exe C:\Windows\Explorer.EXE

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wlanext.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2696 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Receipt-30927862-Ticket#0973726-Fines-19346383.exe C:\Windows\SysWOW64\svchost.exe
PID 2696 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Receipt-30927862-Ticket#0973726-Fines-19346383.exe C:\Windows\SysWOW64\svchost.exe
PID 2696 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Receipt-30927862-Ticket#0973726-Fines-19346383.exe C:\Windows\SysWOW64\svchost.exe
PID 2696 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Receipt-30927862-Ticket#0973726-Fines-19346383.exe C:\Windows\SysWOW64\svchost.exe
PID 2696 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Receipt-30927862-Ticket#0973726-Fines-19346383.exe C:\Windows\SysWOW64\svchost.exe
PID 1232 wrote to memory of 2824 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wlanext.exe
PID 1232 wrote to memory of 2824 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wlanext.exe
PID 1232 wrote to memory of 2824 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wlanext.exe
PID 1232 wrote to memory of 2824 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wlanext.exe
PID 2824 wrote to memory of 2876 N/A C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2876 N/A C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2876 N/A C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2876 N/A C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Receipt-30927862-Ticket#0973726-Fines-19346383.exe

"C:\Users\Admin\AppData\Local\Temp\Receipt-30927862-Ticket#0973726-Fines-19346383.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\Receipt-30927862-Ticket#0973726-Fines-19346383.exe"

C:\Windows\SysWOW64\wlanext.exe

"C:\Windows\SysWOW64\wlanext.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\SysWOW64\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.fieldasarite.monster udp
US 167.71.93.25:80 www.fieldasarite.monster tcp
US 8.8.8.8:53 www.fieldasarite.monster udp
US 167.71.93.25:80 www.fieldasarite.monster tcp
US 8.8.8.8:53 www.56moon.com udp
US 3.94.41.167:80 www.56moon.com tcp
US 8.8.8.8:53 www.trikpolatombak3.site udp
US 162.0.209.40:80 www.trikpolatombak3.site tcp
US 8.8.8.8:53 www.xzyetyp.com udp
US 172.87.202.247:80 www.xzyetyp.com tcp
US 8.8.8.8:53 www.pqjzr.xyz udp
HK 149.30.235.233:80 www.pqjzr.xyz tcp
US 8.8.8.8:53 www.mardigreen.com udp
US 44.227.76.166:80 www.mardigreen.com tcp

Files

memory/2696-10-0x0000000000160000-0x0000000000164000-memory.dmp

memory/2704-11-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2704-13-0x00000000008D0000-0x0000000000BD3000-memory.dmp

memory/2704-16-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2704-15-0x0000000000190000-0x00000000001A4000-memory.dmp

memory/1232-17-0x0000000004420000-0x0000000004525000-memory.dmp

memory/2824-20-0x0000000000270000-0x0000000000286000-memory.dmp

memory/2824-18-0x0000000000270000-0x0000000000286000-memory.dmp

memory/2824-21-0x0000000000080000-0x00000000000AF000-memory.dmp

memory/1232-24-0x0000000004420000-0x0000000004525000-memory.dmp

memory/1232-28-0x0000000006870000-0x0000000006933000-memory.dmp

memory/1232-29-0x0000000006870000-0x0000000006933000-memory.dmp

memory/1232-32-0x0000000006870000-0x0000000006933000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-15 13:33

Reported

2024-07-15 13:36

Platform

win10v2004-20240709-en

Max time kernel

148s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4628 set thread context of 1956 N/A C:\Users\Admin\AppData\Local\Temp\Receipt-30927862-Ticket#0973726-Fines-19346383.exe C:\Windows\SysWOW64\svchost.exe
PID 1956 set thread context of 3440 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 4012 set thread context of 3440 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Explorer.EXE

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Receipt-30927862-Ticket#0973726-Fines-19346383.exe

"C:\Users\Admin\AppData\Local\Temp\Receipt-30927862-Ticket#0973726-Fines-19346383.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\Receipt-30927862-Ticket#0973726-Fines-19346383.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\SysWOW64\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.agcpros.com udp
US 66.81.203.198:80 www.agcpros.com tcp
US 8.8.8.8:53 www.agcpros.com udp
US 66.81.203.198:80 www.agcpros.com tcp
US 8.8.8.8:53 www.theinternote.com udp
US 208.91.197.132:80 www.theinternote.com tcp
US 8.8.8.8:53 132.197.91.208.in-addr.arpa udp
US 8.8.8.8:53 www.dokalopsia.digital udp
LT 84.32.84.32:80 www.dokalopsia.digital tcp
US 8.8.8.8:53 32.84.32.84.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.azdesertvibes.com udp
US 34.149.87.45:80 www.azdesertvibes.com tcp
US 8.8.8.8:53 45.87.149.34.in-addr.arpa udp
US 8.8.8.8:53 www.yoursouthjerseylawyer.com udp
DE 91.195.240.19:80 www.yoursouthjerseylawyer.com tcp
US 8.8.8.8:53 19.240.195.91.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 www.ultimabet.store udp
US 75.2.115.196:80 www.ultimabet.store tcp
US 8.8.8.8:53 196.115.2.75.in-addr.arpa udp

Files

memory/4628-10-0x00000000010D0000-0x00000000010D4000-memory.dmp

memory/1956-11-0x0000000000390000-0x00000000003BF000-memory.dmp

memory/1956-14-0x0000000000AD0000-0x0000000000E1A000-memory.dmp

memory/1956-16-0x0000000001470000-0x0000000001484000-memory.dmp

memory/1956-15-0x0000000000390000-0x00000000003BF000-memory.dmp

memory/3440-17-0x0000000008540000-0x0000000008661000-memory.dmp

memory/4012-18-0x0000000000CE0000-0x0000000000CF4000-memory.dmp

memory/4012-20-0x0000000000CE0000-0x0000000000CF4000-memory.dmp

memory/4012-21-0x0000000001200000-0x000000000122F000-memory.dmp

memory/3440-23-0x0000000008540000-0x0000000008661000-memory.dmp

memory/3440-26-0x0000000007EE0000-0x0000000007FB9000-memory.dmp

memory/3440-27-0x0000000007EE0000-0x0000000007FB9000-memory.dmp

memory/3440-30-0x0000000007EE0000-0x0000000007FB9000-memory.dmp