Analysis Overview
SHA256
6781be8abda50b0cc7d27b9466f7b39572f978cf16151092554e7b4557f0ac06
Threat Level: Known bad
The file 271JaJbQjMLGbcc.exe was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook family
Formbook payload
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Gathers network information
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-01 06:41
Signatures
Analysis: behavioral3
Detonation Overview
Submitted
2025-07-01 06:41
Reported
2025-07-01 06:44
Platform
win11-20250619-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Formbook
Formbook family
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5260 set thread context of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 2128 set thread context of 3308 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | C:\Windows\Explorer.EXE |
| PID 3140 set thread context of 3308 | N/A | C:\Windows\SysWOW64\cmmon32.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmmon32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmmon32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmmon32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\cmmon32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe
"C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xQKiRiS.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xQKiRiS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8D1D.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.raaline.shop | udp |
| IE | 3.248.56.152:80 | www.sig.xyz | tcp |
Files
memory/5260-0-0x00000000005B0000-0x000000000065A000-memory.dmp
memory/5260-1-0x00000000055F0000-0x0000000005B96000-memory.dmp
memory/5260-2-0x0000000005040000-0x00000000050D2000-memory.dmp
memory/5260-3-0x00000000052D0000-0x00000000052E0000-memory.dmp
memory/5260-4-0x0000000004FC0000-0x0000000004FCA000-memory.dmp
memory/5260-5-0x00000000052E0000-0x000000000537C000-memory.dmp
memory/5260-6-0x0000000005270000-0x0000000005280000-memory.dmp
memory/5260-7-0x00000000052D0000-0x00000000052E0000-memory.dmp
memory/5260-8-0x00000000062C0000-0x0000000006338000-memory.dmp
memory/1012-13-0x0000000002B90000-0x0000000002BC6000-memory.dmp
memory/1012-15-0x00000000050B0000-0x00000000050C0000-memory.dmp
memory/1012-14-0x00000000050B0000-0x00000000050C0000-memory.dmp
memory/1012-16-0x00000000056F0000-0x0000000005D1A000-memory.dmp
memory/5012-17-0x00000000047D0000-0x00000000047E0000-memory.dmp
memory/5012-18-0x00000000047D0000-0x00000000047E0000-memory.dmp
memory/5012-19-0x0000000004D50000-0x0000000004D72000-memory.dmp
memory/5012-20-0x00000000056B0000-0x0000000005716000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8D1D.tmp
| MD5 | 965c6297e30b91a9a300c7e7c5c49267 |
| SHA1 | dd11f956de931ce179f6be125b65434bc7f05e59 |
| SHA256 | 3230714493351b7cc2b12453f4ca9a2c945997fcdb0b8deda970a91662cacf9d |
| SHA512 | 8989c5002e96bec5bb5bd0d414681280cbb0603bb0882576b056bd2d318f72a6a78db5a3d5d7b4533f22f87d0d51396d3b82103b4681455812e271eb5bc4254f |
memory/5012-21-0x00000000057D0000-0x0000000005836000-memory.dmp
memory/5012-31-0x0000000005840000-0x0000000005B97000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xm4tzvqp.cpe.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2128-40-0x0000000000400000-0x000000000042E000-memory.dmp
memory/5012-43-0x0000000005D10000-0x0000000005D2E000-memory.dmp
memory/5012-44-0x0000000005D30000-0x0000000005D7C000-memory.dmp
memory/1012-46-0x00000000755E0000-0x000000007562C000-memory.dmp
memory/1012-55-0x0000000007330000-0x000000000734E000-memory.dmp
memory/1012-45-0x0000000007350000-0x0000000007384000-memory.dmp
memory/1012-56-0x0000000007390000-0x0000000007434000-memory.dmp
memory/5012-57-0x00000000755E0000-0x000000007562C000-memory.dmp
memory/1012-67-0x00000000076E0000-0x00000000076FA000-memory.dmp
memory/1012-66-0x0000000007D20000-0x000000000839A000-memory.dmp
memory/1012-68-0x0000000007760000-0x000000000776A000-memory.dmp
memory/1012-69-0x0000000007970000-0x0000000007A06000-memory.dmp
memory/5012-70-0x0000000007260000-0x0000000007271000-memory.dmp
memory/1012-71-0x0000000007920000-0x000000000792E000-memory.dmp
memory/5012-72-0x00000000072A0000-0x00000000072B5000-memory.dmp
memory/5012-73-0x00000000073A0000-0x00000000073BA000-memory.dmp
memory/5012-74-0x0000000007390000-0x0000000007398000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | d0c46cad6c0778401e21910bd6b56b70 |
| SHA1 | 7be418951ea96326aca445b8dfe449b2bfa0dca6 |
| SHA256 | 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02 |
| SHA512 | 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5153b5e4354b9ecd435ac7e8c94a4f4b |
| SHA1 | cc3bc40bb084a80e8dfbacb4d77dc470d0e8cf34 |
| SHA256 | d22a350d12e961f438cd57d1084646e7349921789f01251e0de5a1d786159f5d |
| SHA512 | a985b8fc6041d8f3dac59405c2f24e66132c29c206067ef6e6719e9b725ebc6dc1ab05bc686a8d5f13bfd020818027c17f3c69f65b4766f94de0d019a8f29156 |
memory/3140-80-0x0000000000E10000-0x0000000000E1C000-memory.dmp
memory/3140-81-0x0000000000D70000-0x0000000000D9E000-memory.dmp
memory/3308-83-0x0000000006150000-0x0000000006238000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-01 06:41
Reported
2025-07-01 06:44
Platform
win10v2004-20250610-en
Max time kernel
105s
Max time network
137s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3001560346-2020497773-4190896137-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe | N/A |
Uses the VBS compiler for execution
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe
"C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xQKiRiS.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xQKiRiS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD755.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
Files
memory/2116-0-0x0000000000840000-0x00000000008EA000-memory.dmp
memory/2116-1-0x0000000005980000-0x0000000005F24000-memory.dmp
memory/2116-2-0x00000000052C0000-0x0000000005352000-memory.dmp
memory/2116-3-0x0000000005480000-0x0000000005490000-memory.dmp
memory/2116-4-0x0000000005370000-0x000000000537A000-memory.dmp
memory/2116-5-0x00000000055E0000-0x000000000567C000-memory.dmp
memory/2116-6-0x0000000005590000-0x00000000055A0000-memory.dmp
memory/2116-7-0x0000000005480000-0x0000000005490000-memory.dmp
memory/2116-8-0x0000000006530000-0x00000000065A8000-memory.dmp
memory/4340-14-0x0000000002C90000-0x0000000002CC6000-memory.dmp
memory/4340-13-0x00000000051D0000-0x00000000051E0000-memory.dmp
memory/4340-15-0x00000000051D0000-0x00000000051E0000-memory.dmp
memory/2788-16-0x0000000002C00000-0x0000000002C10000-memory.dmp
memory/2788-17-0x00000000055E0000-0x0000000005C08000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD755.tmp
| MD5 | 7eae5f2826cef3c441fdcc7a3d2a7d2f |
| SHA1 | 7234b00bab6ff6369e4e6bcb207cbe82d62bb119 |
| SHA256 | 4e8bc60b66dff0c77cdba36d8074016b5932ebfb4959fa5aa89d503243ae17a6 |
| SHA512 | 0ee5f855a04250677d77449bb423eb32cea9612bc78932fb41f1d1161e2eb2ccaee6f070d6a24ff325f654b07817ed9c818e957d0ab20ab5d8168a1739bd3240 |
memory/2788-19-0x0000000005530000-0x0000000005552000-memory.dmp
memory/2788-20-0x0000000005E00000-0x0000000005E66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lbdosseb.hh1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2788-27-0x0000000005EE0000-0x0000000006234000-memory.dmp
memory/2788-21-0x0000000005E70000-0x0000000005ED6000-memory.dmp
memory/4340-42-0x00000000065A0000-0x00000000065BE000-memory.dmp
memory/2788-43-0x00000000069B0000-0x00000000069FC000-memory.dmp
memory/2788-46-0x0000000075460000-0x00000000754AC000-memory.dmp
memory/4340-45-0x0000000075460000-0x00000000754AC000-memory.dmp
memory/4340-44-0x0000000007720000-0x0000000007752000-memory.dmp
memory/4340-65-0x0000000007760000-0x000000000777E000-memory.dmp
memory/2788-66-0x0000000007740000-0x00000000077E3000-memory.dmp
memory/2788-67-0x0000000007E80000-0x00000000084FA000-memory.dmp
memory/4340-68-0x00000000078C0000-0x00000000078DA000-memory.dmp
memory/4340-69-0x0000000007930000-0x000000000793A000-memory.dmp
memory/2788-70-0x0000000007AB0000-0x0000000007B46000-memory.dmp
memory/4340-71-0x0000000007AC0000-0x0000000007AD1000-memory.dmp
memory/4340-72-0x0000000007AF0000-0x0000000007AFE000-memory.dmp
memory/2788-73-0x0000000007A70000-0x0000000007A84000-memory.dmp
memory/4340-74-0x0000000007C00000-0x0000000007C1A000-memory.dmp
memory/4340-75-0x0000000007BE0000-0x0000000007BE8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8814133bfca93253f1a9eb8fb7bae187 |
| SHA1 | 29b755a1091ff5ba918148f99ed96eb8cbff2603 |
| SHA256 | 5de9df6973ba46855e1ea7ebad91ee19f907755a018e3f45c6fcb9391c559efa |
| SHA512 | 66fed52564da009c4dc93e55cf909581971fba0fccecb459afbc2c889c4d9d8f5eedcc6b75ac26f3518ba7e45a13e2e353fc7fee1193989abbdc4b8f72951352 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-01 06:41
Reported
2025-07-01 06:44
Platform
win10ltsc2021-20250610-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Formbook
Formbook family
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1666585949-2086230170-2304269057-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2168 set thread context of 3232 | N/A | C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 3232 set thread context of 3516 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | C:\Windows\Explorer.EXE |
| PID 4848 set thread context of 3516 | N/A | C:\Windows\SysWOW64\ipconfig.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe
"C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\271JaJbQjMLGbcc.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xQKiRiS.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xQKiRiS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA22B.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.isy.art | udp |
| US | 8.8.8.8:53 | www.aplayplinko.xyz | udp |
| US | 8.8.8.8:53 | www.mart-lex.net | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | www.huangyusij.top | udp |
| US | 8.8.8.8:53 | www.9kwe.top | udp |
| HK | 154.23.222.84:80 | www.9kwe.top | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/2168-0-0x00000000006B0000-0x000000000075A000-memory.dmp
memory/2168-1-0x0000000005810000-0x0000000005DB6000-memory.dmp
memory/2168-2-0x0000000005120000-0x00000000051B2000-memory.dmp
memory/2168-3-0x0000000005410000-0x0000000005420000-memory.dmp
memory/2168-4-0x00000000051E0000-0x00000000051EA000-memory.dmp
memory/2168-5-0x0000000005310000-0x00000000053AC000-memory.dmp
memory/2168-6-0x00000000053B0000-0x00000000053C0000-memory.dmp
memory/2168-7-0x0000000005410000-0x0000000005420000-memory.dmp
memory/2168-8-0x0000000008810000-0x0000000008888000-memory.dmp
memory/4012-11-0x0000000002690000-0x00000000026A0000-memory.dmp
memory/4012-10-0x00000000025A0000-0x00000000025D6000-memory.dmp
memory/3564-13-0x0000000004AD0000-0x0000000004AE0000-memory.dmp
memory/3564-12-0x0000000004AD0000-0x0000000004AE0000-memory.dmp
memory/4012-14-0x0000000002690000-0x00000000026A0000-memory.dmp
memory/4012-15-0x0000000005180000-0x000000000584A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpA22B.tmp
| MD5 | e74ef35146fac1f7010fdd45f9f2b2ce |
| SHA1 | d3ddb70fd316827b156edde48054a0c982c75abd |
| SHA256 | 567d7d0c91134ee7c6c482379d3c150e5d0dee887b24767aed5768f2ae035c9a |
| SHA512 | f1d0a7ae031ecddfa63c83818ed3a90e635e6423ddb3725928e5414dd478e1b6f2fdebf319a99b1830c6b6c6427f8c1726553caab58ec0112d044caae4f111a2 |
memory/3564-18-0x0000000004FE0000-0x0000000005002000-memory.dmp
memory/3232-17-0x0000000000400000-0x000000000042E000-memory.dmp
memory/3564-20-0x00000000059E0000-0x0000000005A46000-memory.dmp
memory/3564-19-0x0000000005880000-0x00000000058E6000-memory.dmp
memory/3564-23-0x0000000005A50000-0x0000000005DA7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jhcdnhra.jwx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3564-43-0x00000000060B0000-0x00000000060FC000-memory.dmp
memory/3564-42-0x0000000006020000-0x000000000603E000-memory.dmp
memory/4012-44-0x0000000006F10000-0x0000000006F42000-memory.dmp
memory/4012-45-0x0000000073CF0000-0x0000000073D3C000-memory.dmp
memory/3564-55-0x0000000073CF0000-0x0000000073D3C000-memory.dmp
memory/3564-65-0x0000000007210000-0x000000000722E000-memory.dmp
memory/4012-66-0x0000000007150000-0x00000000071F3000-memory.dmp
memory/3564-67-0x00000000079C0000-0x000000000803A000-memory.dmp
memory/4012-68-0x00000000072A0000-0x00000000072BA000-memory.dmp
memory/4012-69-0x0000000007300000-0x000000000730A000-memory.dmp
memory/3564-70-0x00000000075E0000-0x0000000007676000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7e75dde1d60e370aade884037e36e8fe |
| SHA1 | d319a029a9c25d46853d718dbcb396e9f1b635b1 |
| SHA256 | 3e2eeccff0686ac0793359c0caf74fdebe868c8dd5f211201e16e97b5d5b52b9 |
| SHA512 | 6fa0dbf67edeef04021f69c7b27c5567f380d010a7c451d25e7ac86becc9c1f2d4dc12f5ff09e48f4c4bcf76dff93749162f0e640025664d41add005009cacbc |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | f9349064c7c8f8467cc12d78a462e5f9 |
| SHA1 | 5e1d27fc64751cd8c0e9448ee47741da588b3484 |
| SHA256 | 883481fe331cb89fb6061e76b43acd4dd638c16f499b10088b261036c6d0547b |
| SHA512 | 3229668491b5e4068e743b31f2896b30b1842faf96aff09fad01b08771c2f11eb8d8f02a3b76e31f0d6ad650c2894c5ac1822204e132c03d9c2b8df6ca4cd7cf |
memory/3232-76-0x0000000000400000-0x000000000042E000-memory.dmp
memory/4848-77-0x0000000000460000-0x000000000046B000-memory.dmp
memory/4848-78-0x0000000000DA0000-0x0000000000DCE000-memory.dmp
memory/3516-80-0x0000000009B10000-0x0000000009C36000-memory.dmp