Malware Analysis Report

2025-08-05 13:52

Sample ID 220621-lazeyscffm
Target pay2.bin
SHA256 c4692b54a5619346cd90557fc71a3bcb9a5712d40b5e30411a87f4bec4697005
Tags
rat utg6 xloader formbook loader persistence spyware stealer suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c4692b54a5619346cd90557fc71a3bcb9a5712d40b5e30411a87f4bec4697005

Threat Level: Known bad

The file pay2.bin was found to be: Known bad.

Malicious Activity Summary

rat utg6 xloader formbook loader persistence spyware stealer suricata trojan

Xloader

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

Xloader Payload

Xloader family

Formbook

suricata: ET MALWARE FormBook CnC Checkin (GET)

Xloader Payload

Executes dropped EXE

Adds policy Run key to start application

Checks computer location settings

Reads user/profile data of web browsers

Deletes itself

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-21 09:20

Signatures

Xloader Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Xloader family

xloader

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-21 09:20

Reported

2022-06-21 09:23

Platform

win7-20220414-en

Max time kernel

147s

Max time network

155s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Xloader

loader xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata

Xloader Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Nljod5z\user7nmtbv.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\pay2.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\systray.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JX4LG0T0V6 = "C:\\Program Files (x86)\\Nljod5z\\user7nmtbv.exe" C:\Windows\SysWOW64\systray.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 800 set thread context of 1212 N/A C:\Users\Admin\AppData\Local\Temp\pay2.exe C:\Windows\Explorer.EXE
PID 2024 set thread context of 1212 N/A C:\Windows\SysWOW64\systray.exe C:\Windows\Explorer.EXE

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Nljod5z\user7nmtbv.exe C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\Nljod5z\user7nmtbv.exe C:\Windows\SysWOW64\systray.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\systray.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\pay2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\systray.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Nljod5z\user7nmtbv.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1212 wrote to memory of 2024 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\systray.exe
PID 1212 wrote to memory of 2024 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\systray.exe
PID 1212 wrote to memory of 2024 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\systray.exe
PID 1212 wrote to memory of 2024 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\systray.exe
PID 2024 wrote to memory of 1744 N/A C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 1744 N/A C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 1744 N/A C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 1744 N/A C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 460 N/A C:\Windows\SysWOW64\systray.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 2024 wrote to memory of 460 N/A C:\Windows\SysWOW64\systray.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 2024 wrote to memory of 460 N/A C:\Windows\SysWOW64\systray.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 2024 wrote to memory of 460 N/A C:\Windows\SysWOW64\systray.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 2024 wrote to memory of 460 N/A C:\Windows\SysWOW64\systray.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1212 wrote to memory of 872 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\Nljod5z\user7nmtbv.exe
PID 1212 wrote to memory of 872 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\Nljod5z\user7nmtbv.exe
PID 1212 wrote to memory of 872 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\Nljod5z\user7nmtbv.exe
PID 1212 wrote to memory of 872 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\Nljod5z\user7nmtbv.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\pay2.exe

"C:\Users\Admin\AppData\Local\Temp\pay2.exe"

C:\Windows\SysWOW64\systray.exe

"C:\Windows\SysWOW64\systray.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\pay2.exe"

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

C:\Program Files (x86)\Nljod5z\user7nmtbv.exe

"C:\Program Files (x86)\Nljod5z\user7nmtbv.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.annaleslie.com udp
US 34.102.136.180:80 www.annaleslie.com tcp
US 8.8.8.8:53 www.sl6.ltd udp
CN 123.58.47.20:80 www.sl6.ltd tcp
US 8.8.8.8:53 www.ukkrarzw.xyz udp
US 8.8.8.8:53 www.akigno.com udp
HK 154.212.67.210:80 www.akigno.com tcp
US 8.8.8.8:53 www.comment2020.com udp
US 66.29.135.202:80 www.comment2020.com tcp
US 8.8.8.8:53 www.cedarbyles.com udp
US 198.54.117.215:80 www.cedarbyles.com tcp
US 198.54.117.215:80 www.cedarbyles.com tcp
US 8.8.8.8:53 www.zhongjialawfirm.com udp
CN 106.75.176.239:80 www.zhongjialawfirm.com tcp
CN 106.75.176.239:80 www.zhongjialawfirm.com tcp
US 8.8.8.8:53 www.honghr.com udp
US 142.234.171.119:80 www.honghr.com tcp
US 142.234.171.119:80 www.honghr.com tcp
US 8.8.8.8:53 www.kingscapitalfunding.com udp
US 34.117.168.233:80 www.kingscapitalfunding.com tcp
US 34.117.168.233:80 www.kingscapitalfunding.com tcp
US 8.8.8.8:53 www.askirlofsinclairs.com udp
US 8.8.8.8:53 www.shoppersformula.com udp
US 34.102.136.180:80 www.shoppersformula.com tcp
US 34.102.136.180:80 www.shoppersformula.com tcp
US 8.8.8.8:53 www.pakujwalize.xyz udp
FR 213.186.33.5:80 www.pakujwalize.xyz tcp
FR 213.186.33.5:80 www.pakujwalize.xyz tcp
US 8.8.8.8:53 www.trucksolarkit.com udp
DE 5.22.145.121:80 www.trucksolarkit.com tcp
DE 5.22.145.121:80 www.trucksolarkit.com tcp
US 8.8.8.8:53 www.maxsun-solar.com udp
US 8.8.8.8:53 www.propagandefilms.com udp
US 34.117.168.233:80 www.propagandefilms.com tcp
US 34.117.168.233:80 www.propagandefilms.com tcp
CN 123.58.47.20:80 www.sl6.ltd tcp
US 8.8.8.8:53 www.theyorkshiregiftsco.com udp
HK 154.212.67.210:80 www.akigno.com tcp
HK 154.212.67.210:80 www.akigno.com tcp

Files

memory/800-54-0x0000000000A50000-0x0000000000D53000-memory.dmp

memory/800-55-0x0000000000170000-0x0000000000181000-memory.dmp

memory/1212-56-0x0000000004A40000-0x0000000004B7A000-memory.dmp

memory/2024-57-0x0000000000000000-mapping.dmp

memory/2024-58-0x0000000000E00000-0x0000000000E05000-memory.dmp

memory/1744-59-0x0000000000000000-mapping.dmp

memory/2024-60-0x0000000002210000-0x0000000002513000-memory.dmp

memory/2024-61-0x0000000000080000-0x00000000000AC000-memory.dmp

memory/2024-62-0x0000000000960000-0x00000000009F0000-memory.dmp

memory/1212-63-0x0000000003A30000-0x0000000003AE7000-memory.dmp

memory/2024-64-0x0000000000080000-0x00000000000AC000-memory.dmp

memory/1212-65-0x0000000003A30000-0x0000000003AE7000-memory.dmp

memory/2024-66-0x00000000765F1000-0x00000000765F3000-memory.dmp

memory/872-67-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Nljod5z\user7nmtbv.exe

MD5 4b052ae067d179b1e9626c250771002e
SHA1 a37c079cc492f9ebcb5fefc440db929007e3f409
SHA256 c4692b54a5619346cd90557fc71a3bcb9a5712d40b5e30411a87f4bec4697005
SHA512 ea186cfbaac1e7fbaff049c258eb3b10c6d11fb01415dc2c4e4292637cba825697e360170803338d451aa333d6c7a4e78223d8c37f73a7ab6a70b65a7e656ce2

memory/872-69-0x00000000007E0000-0x0000000000AE3000-memory.dmp

C:\Program Files (x86)\Nljod5z\user7nmtbv.exe

MD5 4b052ae067d179b1e9626c250771002e
SHA1 a37c079cc492f9ebcb5fefc440db929007e3f409
SHA256 c4692b54a5619346cd90557fc71a3bcb9a5712d40b5e30411a87f4bec4697005
SHA512 ea186cfbaac1e7fbaff049c258eb3b10c6d11fb01415dc2c4e4292637cba825697e360170803338d451aa333d6c7a4e78223d8c37f73a7ab6a70b65a7e656ce2

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-21 09:20

Reported

2022-06-21 09:23

Platform

win10v2004-20220414-en

Max time kernel

150s

Max time network

154s

Command Line

C:\Windows\Explorer.EXE

Signatures

Xloader

loader xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

suricata

Xloader Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\msdt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\K6ADFTBP = "C:\\Program Files (x86)\\D9r0tsbm\\8pxdufwvxg4rtb.exe" C:\Windows\SysWOW64\msdt.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\D9r0tsbm\8pxdufwvxg4rtb.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\pay2.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1868 set thread context of 3168 N/A C:\Users\Admin\AppData\Local\Temp\pay2.exe C:\Windows\Explorer.EXE
PID 664 set thread context of 3168 N/A C:\Windows\SysWOW64\msdt.exe C:\Windows\Explorer.EXE

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\D9r0tsbm\8pxdufwvxg4rtb.exe C:\Windows\SysWOW64\msdt.exe N/A
File opened for modification C:\Program Files (x86)\D9r0tsbm C:\Windows\Explorer.EXE N/A
File created C:\Program Files (x86)\D9r0tsbm\8pxdufwvxg4rtb.exe C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\D9r0tsbm\8pxdufwvxg4rtb.exe C:\Windows\Explorer.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\msdt.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\pay2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pay2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pay2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pay2.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Program Files (x86)\D9r0tsbm\8pxdufwvxg4rtb.exe N/A
N/A N/A C:\Program Files (x86)\D9r0tsbm\8pxdufwvxg4rtb.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\pay2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msdt.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\D9r0tsbm\8pxdufwvxg4rtb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3168 wrote to memory of 664 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\msdt.exe
PID 3168 wrote to memory of 664 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\msdt.exe
PID 3168 wrote to memory of 664 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\msdt.exe
PID 664 wrote to memory of 4548 N/A C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\cmd.exe
PID 664 wrote to memory of 4548 N/A C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\cmd.exe
PID 664 wrote to memory of 4548 N/A C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\cmd.exe
PID 664 wrote to memory of 2444 N/A C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\cmd.exe
PID 664 wrote to memory of 2444 N/A C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\cmd.exe
PID 664 wrote to memory of 2444 N/A C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\cmd.exe
PID 664 wrote to memory of 3712 N/A C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\cmd.exe
PID 664 wrote to memory of 3712 N/A C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\cmd.exe
PID 664 wrote to memory of 3712 N/A C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\cmd.exe
PID 664 wrote to memory of 4944 N/A C:\Windows\SysWOW64\msdt.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 664 wrote to memory of 4944 N/A C:\Windows\SysWOW64\msdt.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 664 wrote to memory of 4944 N/A C:\Windows\SysWOW64\msdt.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 3168 wrote to memory of 952 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\D9r0tsbm\8pxdufwvxg4rtb.exe
PID 3168 wrote to memory of 952 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\D9r0tsbm\8pxdufwvxg4rtb.exe
PID 3168 wrote to memory of 952 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\D9r0tsbm\8pxdufwvxg4rtb.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\pay2.exe

"C:\Users\Admin\AppData\Local\Temp\pay2.exe"

C:\Windows\SysWOW64\msdt.exe

"C:\Windows\SysWOW64\msdt.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\pay2.exe"

C:\Windows\SysWOW64\cmd.exe

/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V

C:\Windows\SysWOW64\cmd.exe

/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

C:\Program Files (x86)\D9r0tsbm\8pxdufwvxg4rtb.exe

"C:\Program Files (x86)\D9r0tsbm\8pxdufwvxg4rtb.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.gasandmore-koeln.com udp
DE 81.169.145.92:80 www.gasandmore-koeln.com tcp
NL 104.97.14.81:80 tcp
US 8.8.8.8:53 www.nonniesessentials.com udp
US 8.8.8.8:53 www.allnetplayer.com udp
US 8.8.8.8:53 www.pulsaindo.store udp
US 198.54.116.247:80 www.pulsaindo.store tcp
IE 20.54.110.249:443 tcp
US 8.8.8.8:53 www.botree.info udp
US 34.102.136.180:80 www.botree.info tcp
US 8.8.8.8:53 www.maxsun-solar.com udp
US 8.8.8.8:53 www.okna-step.site udp
RU 194.58.112.173:80 www.okna-step.site tcp
NL 104.110.191.133:80 tcp
US 52.168.117.170:443 tcp
US 8.8.8.8:53 www.plantonio.com udp
CA 23.227.38.74:80 www.plantonio.com tcp
US 13.107.21.200:443 tcp
US 8.8.8.8:53 www.propagandefilms.com udp
US 34.117.168.233:80 www.propagandefilms.com tcp
US 8.8.8.8:53 www.hexiya.com udp
US 104.21.28.82:80 www.hexiya.com tcp
US 8.8.8.8:53 www.bigabid.engineering udp
US 34.102.136.180:80 www.bigabid.engineering tcp
US 8.8.8.8:53 www.honghr.com udp
US 142.234.171.119:80 www.honghr.com tcp
US 8.8.8.8:53 www.comment2020.com udp
US 66.29.135.202:80 www.comment2020.com tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 www.ditiya.space udp
US 98.124.224.17:80 www.ditiya.space tcp
US 98.124.224.17:80 www.ditiya.space tcp
US 98.124.224.17:80 www.ditiya.space tcp
US 8.8.8.8:53 www.ukkrarzw.xyz udp
US 8.8.8.8:53 www.shoppersformula.com udp
US 34.102.136.180:80 www.shoppersformula.com tcp
US 8.8.8.8:53 www.naknadastete.net udp
DE 142.132.249.38:80 www.naknadastete.net tcp
DE 142.132.249.38:80 www.naknadastete.net tcp
DE 142.132.249.38:80 www.naknadastete.net tcp
US 8.8.8.8:53 www.jzcrjyw.com udp
HK 121.127.239.53:80 www.jzcrjyw.com tcp
HK 121.127.239.53:80 www.jzcrjyw.com tcp
HK 121.127.239.53:80 www.jzcrjyw.com tcp
US 8.8.8.8:53 www.newcarreleasedate.net udp
US 192.64.119.254:80 www.newcarreleasedate.net tcp
US 192.64.119.254:80 www.newcarreleasedate.net tcp
US 192.64.119.254:80 www.newcarreleasedate.net tcp
US 8.8.8.8:53 www.rusvogue.com udp
US 104.21.48.159:80 www.rusvogue.com tcp
US 104.21.48.159:80 www.rusvogue.com tcp
US 104.21.48.159:80 www.rusvogue.com tcp
US 8.8.8.8:53 www.gastreatmentinfo.site udp
DE 64.190.62.22:80 www.gastreatmentinfo.site tcp
DE 64.190.62.22:80 www.gastreatmentinfo.site tcp
DE 64.190.62.22:80 www.gastreatmentinfo.site tcp

Files

memory/1868-130-0x0000000000D60000-0x00000000010AA000-memory.dmp

memory/1868-131-0x0000000000D10000-0x0000000000D21000-memory.dmp

memory/3168-132-0x0000000002820000-0x0000000002908000-memory.dmp

memory/664-133-0x0000000000000000-mapping.dmp

memory/664-134-0x0000000000C00000-0x0000000000C57000-memory.dmp

memory/664-135-0x0000000000F30000-0x0000000000F5C000-memory.dmp

memory/4548-136-0x0000000000000000-mapping.dmp

memory/664-137-0x0000000003420000-0x000000000376A000-memory.dmp

memory/3168-138-0x0000000002820000-0x0000000002908000-memory.dmp

memory/664-139-0x0000000000F30000-0x0000000000F5C000-memory.dmp

memory/664-140-0x0000000002FB0000-0x0000000003040000-memory.dmp

memory/3168-141-0x0000000007EF0000-0x000000000802F000-memory.dmp

memory/3168-142-0x0000000007EF0000-0x000000000802F000-memory.dmp

memory/2444-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DB1

MD5 b608d407fc15adea97c26936bc6f03f6
SHA1 953e7420801c76393902c0d6bb56148947e41571
SHA256 b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512 cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

memory/3712-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DB1

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

memory/952-147-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\D9r0tsbm\8pxdufwvxg4rtb.exe

MD5 4b052ae067d179b1e9626c250771002e
SHA1 a37c079cc492f9ebcb5fefc440db929007e3f409
SHA256 c4692b54a5619346cd90557fc71a3bcb9a5712d40b5e30411a87f4bec4697005
SHA512 ea186cfbaac1e7fbaff049c258eb3b10c6d11fb01415dc2c4e4292637cba825697e360170803338d451aa333d6c7a4e78223d8c37f73a7ab6a70b65a7e656ce2

C:\Program Files (x86)\D9r0tsbm\8pxdufwvxg4rtb.exe

MD5 4b052ae067d179b1e9626c250771002e
SHA1 a37c079cc492f9ebcb5fefc440db929007e3f409
SHA256 c4692b54a5619346cd90557fc71a3bcb9a5712d40b5e30411a87f4bec4697005
SHA512 ea186cfbaac1e7fbaff049c258eb3b10c6d11fb01415dc2c4e4292637cba825697e360170803338d451aa333d6c7a4e78223d8c37f73a7ab6a70b65a7e656ce2

memory/952-150-0x00000000016C0000-0x0000000001A0A000-memory.dmp