Malware Analysis Report

2025-08-05 14:44

Sample ID 250701-hf9akasp12
Target 271JaJbQjMLGbcc.exe
SHA256 6781be8abda50b0cc7d27b9466f7b39572f978cf16151092554e7b4557f0ac06
Tags
formbook hi26 discovery execution rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6781be8abda50b0cc7d27b9466f7b39572f978cf16151092554e7b4557f0ac06

Threat Level: Known bad

The file 271JaJbQjMLGbcc.exe was found to be: Known bad.

Malicious Activity Summary

formbook hi26 discovery execution rat spyware stealer trojan

Formbook

Formbook family

Formbook payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Gathers network information

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-01 06:41

Signatures

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2025-07-01 06:41

Reported

2025-07-01 06:44

Platform

win11-20250619-en

Max time kernel

149s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook family

formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5260 set thread context of 2128 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2128 set thread context of 3308 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Explorer.EXE
PID 3140 set thread context of 3308 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmmon32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\cmmon32.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5260 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5260 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5260 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5260 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5260 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5260 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5260 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\SysWOW64\schtasks.exe
PID 5260 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\SysWOW64\schtasks.exe
PID 5260 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\SysWOW64\schtasks.exe
PID 5260 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 5260 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 5260 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 5260 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 5260 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 5260 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3308 wrote to memory of 3140 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmmon32.exe
PID 3308 wrote to memory of 3140 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmmon32.exe
PID 3308 wrote to memory of 3140 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmmon32.exe
PID 3140 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe

"C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xQKiRiS.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xQKiRiS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8D1D.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\cmmon32.exe

"C:\Windows\SysWOW64\cmmon32.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.raaline.shop udp
IE 3.248.56.152:80 www.sig.xyz tcp

Files

memory/5260-0-0x00000000005B0000-0x000000000065A000-memory.dmp

memory/5260-1-0x00000000055F0000-0x0000000005B96000-memory.dmp

memory/5260-2-0x0000000005040000-0x00000000050D2000-memory.dmp

memory/5260-3-0x00000000052D0000-0x00000000052E0000-memory.dmp

memory/5260-4-0x0000000004FC0000-0x0000000004FCA000-memory.dmp

memory/5260-5-0x00000000052E0000-0x000000000537C000-memory.dmp

memory/5260-6-0x0000000005270000-0x0000000005280000-memory.dmp

memory/5260-7-0x00000000052D0000-0x00000000052E0000-memory.dmp

memory/5260-8-0x00000000062C0000-0x0000000006338000-memory.dmp

memory/1012-13-0x0000000002B90000-0x0000000002BC6000-memory.dmp

memory/1012-15-0x00000000050B0000-0x00000000050C0000-memory.dmp

memory/1012-14-0x00000000050B0000-0x00000000050C0000-memory.dmp

memory/1012-16-0x00000000056F0000-0x0000000005D1A000-memory.dmp

memory/5012-17-0x00000000047D0000-0x00000000047E0000-memory.dmp

memory/5012-18-0x00000000047D0000-0x00000000047E0000-memory.dmp

memory/5012-19-0x0000000004D50000-0x0000000004D72000-memory.dmp

memory/5012-20-0x00000000056B0000-0x0000000005716000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8D1D.tmp

MD5 965c6297e30b91a9a300c7e7c5c49267
SHA1 dd11f956de931ce179f6be125b65434bc7f05e59
SHA256 3230714493351b7cc2b12453f4ca9a2c945997fcdb0b8deda970a91662cacf9d
SHA512 8989c5002e96bec5bb5bd0d414681280cbb0603bb0882576b056bd2d318f72a6a78db5a3d5d7b4533f22f87d0d51396d3b82103b4681455812e271eb5bc4254f

memory/5012-21-0x00000000057D0000-0x0000000005836000-memory.dmp

memory/5012-31-0x0000000005840000-0x0000000005B97000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xm4tzvqp.cpe.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2128-40-0x0000000000400000-0x000000000042E000-memory.dmp

memory/5012-43-0x0000000005D10000-0x0000000005D2E000-memory.dmp

memory/5012-44-0x0000000005D30000-0x0000000005D7C000-memory.dmp

memory/1012-46-0x00000000755E0000-0x000000007562C000-memory.dmp

memory/1012-55-0x0000000007330000-0x000000000734E000-memory.dmp

memory/1012-45-0x0000000007350000-0x0000000007384000-memory.dmp

memory/1012-56-0x0000000007390000-0x0000000007434000-memory.dmp

memory/5012-57-0x00000000755E0000-0x000000007562C000-memory.dmp

memory/1012-67-0x00000000076E0000-0x00000000076FA000-memory.dmp

memory/1012-66-0x0000000007D20000-0x000000000839A000-memory.dmp

memory/1012-68-0x0000000007760000-0x000000000776A000-memory.dmp

memory/1012-69-0x0000000007970000-0x0000000007A06000-memory.dmp

memory/5012-70-0x0000000007260000-0x0000000007271000-memory.dmp

memory/1012-71-0x0000000007920000-0x000000000792E000-memory.dmp

memory/5012-72-0x00000000072A0000-0x00000000072B5000-memory.dmp

memory/5012-73-0x00000000073A0000-0x00000000073BA000-memory.dmp

memory/5012-74-0x0000000007390000-0x0000000007398000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5153b5e4354b9ecd435ac7e8c94a4f4b
SHA1 cc3bc40bb084a80e8dfbacb4d77dc470d0e8cf34
SHA256 d22a350d12e961f438cd57d1084646e7349921789f01251e0de5a1d786159f5d
SHA512 a985b8fc6041d8f3dac59405c2f24e66132c29c206067ef6e6719e9b725ebc6dc1ab05bc686a8d5f13bfd020818027c17f3c69f65b4766f94de0d019a8f29156

memory/3140-80-0x0000000000E10000-0x0000000000E1C000-memory.dmp

memory/3140-81-0x0000000000D70000-0x0000000000D9E000-memory.dmp

memory/3308-83-0x0000000006150000-0x0000000006238000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-01 06:41

Reported

2025-07-01 06:44

Platform

win10v2004-20250610-en

Max time kernel

105s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3001560346-2020497773-4190896137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2116 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2116 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2116 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2116 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2116 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2116 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\SysWOW64\schtasks.exe
PID 2116 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\SysWOW64\schtasks.exe
PID 2116 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\SysWOW64\schtasks.exe
PID 2116 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2116 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2116 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2116 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2116 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2116 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2116 wrote to memory of 6000 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2116 wrote to memory of 6000 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2116 wrote to memory of 6000 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2116 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2116 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2116 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2116 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2116 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2116 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe

"C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xQKiRiS.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xQKiRiS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD755.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

memory/2116-0-0x0000000000840000-0x00000000008EA000-memory.dmp

memory/2116-1-0x0000000005980000-0x0000000005F24000-memory.dmp

memory/2116-2-0x00000000052C0000-0x0000000005352000-memory.dmp

memory/2116-3-0x0000000005480000-0x0000000005490000-memory.dmp

memory/2116-4-0x0000000005370000-0x000000000537A000-memory.dmp

memory/2116-5-0x00000000055E0000-0x000000000567C000-memory.dmp

memory/2116-6-0x0000000005590000-0x00000000055A0000-memory.dmp

memory/2116-7-0x0000000005480000-0x0000000005490000-memory.dmp

memory/2116-8-0x0000000006530000-0x00000000065A8000-memory.dmp

memory/4340-14-0x0000000002C90000-0x0000000002CC6000-memory.dmp

memory/4340-13-0x00000000051D0000-0x00000000051E0000-memory.dmp

memory/4340-15-0x00000000051D0000-0x00000000051E0000-memory.dmp

memory/2788-16-0x0000000002C00000-0x0000000002C10000-memory.dmp

memory/2788-17-0x00000000055E0000-0x0000000005C08000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD755.tmp

MD5 7eae5f2826cef3c441fdcc7a3d2a7d2f
SHA1 7234b00bab6ff6369e4e6bcb207cbe82d62bb119
SHA256 4e8bc60b66dff0c77cdba36d8074016b5932ebfb4959fa5aa89d503243ae17a6
SHA512 0ee5f855a04250677d77449bb423eb32cea9612bc78932fb41f1d1161e2eb2ccaee6f070d6a24ff325f654b07817ed9c818e957d0ab20ab5d8168a1739bd3240

memory/2788-19-0x0000000005530000-0x0000000005552000-memory.dmp

memory/2788-20-0x0000000005E00000-0x0000000005E66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lbdosseb.hh1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2788-27-0x0000000005EE0000-0x0000000006234000-memory.dmp

memory/2788-21-0x0000000005E70000-0x0000000005ED6000-memory.dmp

memory/4340-42-0x00000000065A0000-0x00000000065BE000-memory.dmp

memory/2788-43-0x00000000069B0000-0x00000000069FC000-memory.dmp

memory/2788-46-0x0000000075460000-0x00000000754AC000-memory.dmp

memory/4340-45-0x0000000075460000-0x00000000754AC000-memory.dmp

memory/4340-44-0x0000000007720000-0x0000000007752000-memory.dmp

memory/4340-65-0x0000000007760000-0x000000000777E000-memory.dmp

memory/2788-66-0x0000000007740000-0x00000000077E3000-memory.dmp

memory/2788-67-0x0000000007E80000-0x00000000084FA000-memory.dmp

memory/4340-68-0x00000000078C0000-0x00000000078DA000-memory.dmp

memory/4340-69-0x0000000007930000-0x000000000793A000-memory.dmp

memory/2788-70-0x0000000007AB0000-0x0000000007B46000-memory.dmp

memory/4340-71-0x0000000007AC0000-0x0000000007AD1000-memory.dmp

memory/4340-72-0x0000000007AF0000-0x0000000007AFE000-memory.dmp

memory/2788-73-0x0000000007A70000-0x0000000007A84000-memory.dmp

memory/4340-74-0x0000000007C00000-0x0000000007C1A000-memory.dmp

memory/4340-75-0x0000000007BE0000-0x0000000007BE8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8814133bfca93253f1a9eb8fb7bae187
SHA1 29b755a1091ff5ba918148f99ed96eb8cbff2603
SHA256 5de9df6973ba46855e1ea7ebad91ee19f907755a018e3f45c6fcb9391c559efa
SHA512 66fed52564da009c4dc93e55cf909581971fba0fccecb459afbc2c889c4d9d8f5eedcc6b75ac26f3518ba7e45a13e2e353fc7fee1193989abbdc4b8f72951352

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-01 06:41

Reported

2025-07-01 06:44

Platform

win10ltsc2021-20250610-en

Max time kernel

150s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook family

formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1666585949-2086230170-2304269057-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2168 set thread context of 3232 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3232 set thread context of 3516 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Explorer.EXE
PID 4848 set thread context of 3516 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ipconfig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2168 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\SysWOW64\schtasks.exe
PID 2168 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\SysWOW64\schtasks.exe
PID 2168 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\SysWOW64\schtasks.exe
PID 2168 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2168 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2168 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2168 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2168 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2168 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3516 wrote to memory of 4848 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\ipconfig.exe
PID 3516 wrote to memory of 4848 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\ipconfig.exe
PID 3516 wrote to memory of 4848 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\ipconfig.exe
PID 4848 wrote to memory of 656 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 656 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 656 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe

"C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xQKiRiS.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xQKiRiS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA22B.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\ipconfig.exe

"C:\Windows\SysWOW64\ipconfig.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.isy.art udp
US 8.8.8.8:53 www.aplayplinko.xyz udp
US 8.8.8.8:53 www.mart-lex.net udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
US 8.8.8.8:53 www.huangyusij.top udp
US 8.8.8.8:53 www.9kwe.top udp
HK 154.23.222.84:80 www.9kwe.top tcp
US 8.8.8.8:53 udp

Files

memory/2168-0-0x00000000006B0000-0x000000000075A000-memory.dmp

memory/2168-1-0x0000000005810000-0x0000000005DB6000-memory.dmp

memory/2168-2-0x0000000005120000-0x00000000051B2000-memory.dmp

memory/2168-3-0x0000000005410000-0x0000000005420000-memory.dmp

memory/2168-4-0x00000000051E0000-0x00000000051EA000-memory.dmp

memory/2168-5-0x0000000005310000-0x00000000053AC000-memory.dmp

memory/2168-6-0x00000000053B0000-0x00000000053C0000-memory.dmp

memory/2168-7-0x0000000005410000-0x0000000005420000-memory.dmp

memory/2168-8-0x0000000008810000-0x0000000008888000-memory.dmp

memory/4012-11-0x0000000002690000-0x00000000026A0000-memory.dmp

memory/4012-10-0x00000000025A0000-0x00000000025D6000-memory.dmp

memory/3564-13-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

memory/3564-12-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

memory/4012-14-0x0000000002690000-0x00000000026A0000-memory.dmp

memory/4012-15-0x0000000005180000-0x000000000584A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA22B.tmp

MD5 e74ef35146fac1f7010fdd45f9f2b2ce
SHA1 d3ddb70fd316827b156edde48054a0c982c75abd
SHA256 567d7d0c91134ee7c6c482379d3c150e5d0dee887b24767aed5768f2ae035c9a
SHA512 f1d0a7ae031ecddfa63c83818ed3a90e635e6423ddb3725928e5414dd478e1b6f2fdebf319a99b1830c6b6c6427f8c1726553caab58ec0112d044caae4f111a2

memory/3564-18-0x0000000004FE0000-0x0000000005002000-memory.dmp

memory/3232-17-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3564-20-0x00000000059E0000-0x0000000005A46000-memory.dmp

memory/3564-19-0x0000000005880000-0x00000000058E6000-memory.dmp

memory/3564-23-0x0000000005A50000-0x0000000005DA7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jhcdnhra.jwx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3564-43-0x00000000060B0000-0x00000000060FC000-memory.dmp

memory/3564-42-0x0000000006020000-0x000000000603E000-memory.dmp

memory/4012-44-0x0000000006F10000-0x0000000006F42000-memory.dmp

memory/4012-45-0x0000000073CF0000-0x0000000073D3C000-memory.dmp

memory/3564-55-0x0000000073CF0000-0x0000000073D3C000-memory.dmp

memory/3564-65-0x0000000007210000-0x000000000722E000-memory.dmp

memory/4012-66-0x0000000007150000-0x00000000071F3000-memory.dmp

memory/3564-67-0x00000000079C0000-0x000000000803A000-memory.dmp

memory/4012-68-0x00000000072A0000-0x00000000072BA000-memory.dmp

memory/4012-69-0x0000000007300000-0x000000000730A000-memory.dmp

memory/3564-70-0x00000000075E0000-0x0000000007676000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7e75dde1d60e370aade884037e36e8fe
SHA1 d319a029a9c25d46853d718dbcb396e9f1b635b1
SHA256 3e2eeccff0686ac0793359c0caf74fdebe868c8dd5f211201e16e97b5d5b52b9
SHA512 6fa0dbf67edeef04021f69c7b27c5567f380d010a7c451d25e7ac86becc9c1f2d4dc12f5ff09e48f4c4bcf76dff93749162f0e640025664d41add005009cacbc

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 f9349064c7c8f8467cc12d78a462e5f9
SHA1 5e1d27fc64751cd8c0e9448ee47741da588b3484
SHA256 883481fe331cb89fb6061e76b43acd4dd638c16f499b10088b261036c6d0547b
SHA512 3229668491b5e4068e743b31f2896b30b1842faf96aff09fad01b08771c2f11eb8d8f02a3b76e31f0d6ad650c2894c5ac1822204e132c03d9c2b8df6ca4cd7cf

memory/3232-76-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4848-77-0x0000000000460000-0x000000000046B000-memory.dmp

memory/4848-78-0x0000000000DA0000-0x0000000000DCE000-memory.dmp

memory/3516-80-0x0000000009B10000-0x0000000009C36000-memory.dmp