Malware Analysis Report

2025-08-10 19:21

Sample ID 220616-lwj76adgfr
Target eab904742cd22a48b6fc99bc98b87c96
SHA256 6e496f5019b1a3e69dc4c134c5b842d7a56c934338c8ab49bb4deb939899878d
Tags
formbook xloader tn61 loader persistence rat spyware stealer suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6e496f5019b1a3e69dc4c134c5b842d7a56c934338c8ab49bb4deb939899878d

Threat Level: Known bad

The file eab904742cd22a48b6fc99bc98b87c96 was found to be: Known bad.

Malicious Activity Summary

formbook xloader tn61 loader persistence rat spyware stealer suricata trojan

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

suricata: ET MALWARE FormBook CnC Checkin (GET)

Xloader

Formbook

Xloader Payload

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-16 09:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-16 09:52

Reported

2022-06-16 09:55

Platform

win7-20220414-en

Max time kernel

150s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Xloader

loader xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata

Xloader Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T2_TQ6YXET = "C:\\Program Files (x86)\\Oy4nh\\winonu.exe" C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1672 set thread context of 1164 N/A C:\Users\Admin\AppData\Local\Temp\SR20220600525003,xlsx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1164 set thread context of 1204 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Explorer.EXE
PID 1344 set thread context of 1204 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Explorer.EXE

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Oy4nh\winonu.exe C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1672 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\SR20220600525003,xlsx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1672 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\SR20220600525003,xlsx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1672 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\SR20220600525003,xlsx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1672 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\SR20220600525003,xlsx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1672 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\SR20220600525003,xlsx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1672 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\SR20220600525003,xlsx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1672 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\SR20220600525003,xlsx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1204 wrote to memory of 1344 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\rundll32.exe
PID 1204 wrote to memory of 1344 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\rundll32.exe
PID 1204 wrote to memory of 1344 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\rundll32.exe
PID 1204 wrote to memory of 1344 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\rundll32.exe
PID 1204 wrote to memory of 1344 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\rundll32.exe
PID 1204 wrote to memory of 1344 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\rundll32.exe
PID 1204 wrote to memory of 1344 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\rundll32.exe
PID 1344 wrote to memory of 1268 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 1268 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 1268 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 1268 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 796 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1344 wrote to memory of 796 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1344 wrote to memory of 796 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1344 wrote to memory of 796 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files\Mozilla Firefox\Firefox.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\SR20220600525003,xlsx.exe

"C:\Users\Admin\AppData\Local\Temp\SR20220600525003,xlsx.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 www.pjhxsl.com udp
CN 23.251.62.137:80 www.pjhxsl.com tcp
US 8.8.8.8:53 www.tasteatlus.com udp
US 170.178.168.203:80 www.tasteatlus.com tcp
US 8.8.8.8:53 www.urbanartco.com udp
US 54.209.32.212:80 www.urbanartco.com tcp
US 8.8.8.8:53 www.stilghar.com udp
US 107.149.171.102:80 www.stilghar.com tcp
US 8.8.8.8:53 www.sepetcin.com udp
TR 185.250.243.163:80 www.sepetcin.com tcp
US 8.8.8.8:53 www.ufc188livestreamfree.com udp
US 104.21.95.15:80 www.ufc188livestreamfree.com tcp
US 8.8.8.8:53 www.wbclips.com udp
US 8.8.8.8:53 www.saulomar.com udp
US 8.8.8.8:53 www.dinotacker.com udp
US 199.59.243.220:80 www.dinotacker.com tcp
US 8.8.8.8:53 www.nuoicaymosaigon.com udp
ID 43.255.154.113:80 www.nuoicaymosaigon.com tcp
US 8.8.8.8:53 www.0571kt.net udp
HK 122.10.27.133:80 www.0571kt.net tcp
US 8.8.8.8:53 www.gndgame.info udp
US 208.91.197.27:80 www.gndgame.info tcp
US 8.8.8.8:53 www.arcwarp.com udp
US 188.114.96.0:80 www.arcwarp.com tcp
US 8.8.8.8:53 www.blizzardboy.net udp
US 168.235.88.209:80 www.blizzardboy.net tcp
US 8.8.8.8:53 www.momentums6.com udp
US 199.192.20.96:80 www.momentums6.com tcp

Files

memory/1672-54-0x0000000001090000-0x00000000010CC000-memory.dmp

memory/1672-55-0x0000000000270000-0x00000000002A6000-memory.dmp

memory/1164-57-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1164-56-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1164-59-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1164-60-0x000000000041F2C0-mapping.dmp

memory/1164-62-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1164-63-0x0000000000AE0000-0x0000000000DE3000-memory.dmp

memory/1164-64-0x0000000000180000-0x0000000000191000-memory.dmp

memory/1204-65-0x0000000003DF0000-0x0000000003EA2000-memory.dmp

memory/1344-66-0x0000000000000000-mapping.dmp

memory/1344-67-0x0000000075B61000-0x0000000075B63000-memory.dmp

memory/1268-68-0x0000000000000000-mapping.dmp

memory/1344-69-0x0000000000FA0000-0x0000000000FAE000-memory.dmp

memory/1344-71-0x00000000023B0000-0x00000000026B3000-memory.dmp

memory/1344-70-0x0000000000110000-0x000000000013B000-memory.dmp

memory/1204-73-0x00000000047F0000-0x00000000048A9000-memory.dmp

memory/1344-72-0x00000000007E0000-0x0000000000870000-memory.dmp

memory/1344-74-0x0000000000110000-0x000000000013B000-memory.dmp

memory/1204-75-0x00000000047F0000-0x00000000048A9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-16 09:52

Reported

2022-06-16 09:55

Platform

win10v2004-20220414-en

Max time kernel

151s

Max time network

156s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Xloader

loader xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

suricata

Xloader Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Hfpvtvh\8pjgzfly8yx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\control.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TJG4-6OHQD = "C:\\Program Files (x86)\\Hfpvtvh\\8pjgzfly8yx.exe" C:\Windows\SysWOW64\control.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3376 set thread context of 1548 N/A C:\Users\Admin\AppData\Local\Temp\SR20220600525003,xlsx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1548 set thread context of 2812 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Explorer.EXE
PID 1796 set thread context of 2812 N/A C:\Windows\SysWOW64\control.exe C:\Windows\Explorer.EXE

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Hfpvtvh\8pjgzfly8yx.exe C:\Windows\SysWOW64\control.exe N/A
File opened for modification C:\Program Files (x86)\Hfpvtvh C:\Windows\Explorer.EXE N/A
File created C:\Program Files (x86)\Hfpvtvh\8pjgzfly8yx.exe C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Hfpvtvh\8pjgzfly8yx.exe C:\Windows\Explorer.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\control.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A
N/A N/A C:\Windows\SysWOW64\control.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\control.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3376 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\SR20220600525003,xlsx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3376 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\SR20220600525003,xlsx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3376 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\SR20220600525003,xlsx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3376 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\SR20220600525003,xlsx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3376 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\SR20220600525003,xlsx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3376 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\SR20220600525003,xlsx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2812 wrote to memory of 1796 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\control.exe
PID 2812 wrote to memory of 1796 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\control.exe
PID 2812 wrote to memory of 1796 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\control.exe
PID 1796 wrote to memory of 4380 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 4380 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 4380 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 3784 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 3784 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 3784 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 924 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 924 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 924 N/A C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 1488 N/A C:\Windows\SysWOW64\control.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1796 wrote to memory of 1488 N/A C:\Windows\SysWOW64\control.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1796 wrote to memory of 1488 N/A C:\Windows\SysWOW64\control.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 2812 wrote to memory of 2376 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\Hfpvtvh\8pjgzfly8yx.exe
PID 2812 wrote to memory of 2376 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\Hfpvtvh\8pjgzfly8yx.exe
PID 2812 wrote to memory of 2376 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\Hfpvtvh\8pjgzfly8yx.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\SR20220600525003,xlsx.exe

"C:\Users\Admin\AppData\Local\Temp\SR20220600525003,xlsx.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"

C:\Windows\SysWOW64\control.exe

"C:\Windows\SysWOW64\control.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"

C:\Windows\SysWOW64\cmd.exe

/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V

C:\Windows\SysWOW64\cmd.exe

/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

C:\Program Files (x86)\Hfpvtvh\8pjgzfly8yx.exe

"C:\Program Files (x86)\Hfpvtvh\8pjgzfly8yx.exe"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
NL 104.110.191.140:80 tcp
US 52.168.117.170:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 www.sepetcin.com udp
TR 185.250.243.163:80 www.sepetcin.com tcp
US 8.8.8.8:53 www.dinotacker.com udp
US 199.59.243.220:80 www.dinotacker.com tcp
US 8.8.8.8:53 www.oneruk-chandeliercleaning.com udp
TH 119.59.104.13:80 www.oneruk-chandeliercleaning.com tcp
US 8.8.8.8:53 www.session.care udp
GB 109.228.34.60:80 www.session.care tcp
FR 2.18.109.224:443 tcp
US 104.18.25.243:80 tcp
US 8.8.8.8:53 www.xdk0blc0tqy6a7.life udp
US 216.18.208.202:80 www.xdk0blc0tqy6a7.life tcp
US 8.8.8.8:53 www.blizzardboy.net udp
US 192.161.187.200:80 www.blizzardboy.net tcp
GB 173.222.211.130:80 tcp
US 8.8.8.8:53 www.www112casinova.com udp
US 8.8.8.8:53 www.davegwatkin.com udp
US 8.8.8.8:53 www.momentums6.com udp
US 199.192.20.96:80 www.momentums6.com tcp
US 8.8.8.8:53 www.chooox.com udp
US 151.101.0.119:80 www.chooox.com tcp
US 151.101.0.119:80 www.chooox.com tcp
US 151.101.0.119:80 www.chooox.com tcp
US 8.8.8.8:53 www.gndgame.info udp
US 208.91.197.27:80 www.gndgame.info tcp
US 208.91.197.27:80 www.gndgame.info tcp
US 208.91.197.27:80 www.gndgame.info tcp
US 8.8.8.8:53 www.ufc188livestreamfree.com udp
US 172.67.169.39:80 www.ufc188livestreamfree.com tcp
US 172.67.169.39:80 www.ufc188livestreamfree.com tcp
US 172.67.169.39:80 www.ufc188livestreamfree.com tcp
US 8.8.8.8:53 www.0571kt.net udp
HK 122.10.27.133:80 www.0571kt.net tcp
HK 122.10.27.133:80 www.0571kt.net tcp
HK 122.10.27.133:80 www.0571kt.net tcp
US 8.8.8.8:53 www.peacockgotv.com udp
US 192.187.111.222:80 www.peacockgotv.com tcp
US 192.187.111.222:80 www.peacockgotv.com tcp
US 192.187.111.222:80 www.peacockgotv.com tcp
US 8.8.8.8:53 www.kreditkarten-optionde.com udp
DE 185.53.179.94:80 www.kreditkarten-optionde.com tcp
DE 185.53.179.94:80 www.kreditkarten-optionde.com tcp
DE 185.53.179.94:80 www.kreditkarten-optionde.com tcp
US 8.8.8.8:53 www.saulomar.com udp

Files

memory/3376-130-0x0000000000C20000-0x0000000000C5C000-memory.dmp

memory/1548-131-0x0000000000000000-mapping.dmp

memory/1548-132-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1548-134-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1548-135-0x00000000015C0000-0x000000000190A000-memory.dmp

memory/1548-136-0x0000000001A80000-0x0000000001A91000-memory.dmp

memory/2812-137-0x0000000008320000-0x0000000008462000-memory.dmp

memory/1796-138-0x0000000000000000-mapping.dmp

memory/1796-139-0x0000000000400000-0x0000000000427000-memory.dmp

memory/1796-140-0x0000000000530000-0x000000000055B000-memory.dmp

memory/4380-141-0x0000000000000000-mapping.dmp

memory/1796-142-0x00000000026D0000-0x0000000002A1A000-memory.dmp

memory/1796-143-0x0000000002460000-0x00000000024F0000-memory.dmp

memory/2812-144-0x0000000008470000-0x00000000085E4000-memory.dmp

memory/1796-145-0x0000000000530000-0x000000000055B000-memory.dmp

memory/2812-146-0x0000000008470000-0x00000000085E4000-memory.dmp

memory/3784-147-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DB1

MD5 b608d407fc15adea97c26936bc6f03f6
SHA1 953e7420801c76393902c0d6bb56148947e41571
SHA256 b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512 cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

memory/924-149-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DB1

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

memory/2376-151-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Hfpvtvh\8pjgzfly8yx.exe

MD5 70d838a7dc5b359c3f938a71fad77db0
SHA1 66b83eb16481c334719eed406bc58a3c2b910923
SHA256 e4dbdbf7888ea96f3f8aa5c4c7f2bcf6e57d724dd8194fe5f35b673c6ef724ea
SHA512 9c9a945db5b5e7ff8105bfe74578e6f00b5f707f7c3d8f1f1fb41553a6d0eab29cef026e77877a1ad6435fa7bc369141921442e1485f2b0894c6bbcbd7791034

C:\Program Files (x86)\Hfpvtvh\8pjgzfly8yx.exe

MD5 70d838a7dc5b359c3f938a71fad77db0
SHA1 66b83eb16481c334719eed406bc58a3c2b910923
SHA256 e4dbdbf7888ea96f3f8aa5c4c7f2bcf6e57d724dd8194fe5f35b673c6ef724ea
SHA512 9c9a945db5b5e7ff8105bfe74578e6f00b5f707f7c3d8f1f1fb41553a6d0eab29cef026e77877a1ad6435fa7bc369141921442e1485f2b0894c6bbcbd7791034