Analysis Overview
SHA256
f09aaecd8326e6cfe7eb413ff97f62a7537d38da9eb11e89ad5fa3fc3f256ad9
Threat Level: Known bad
The file TRANSFERENCIA 112987.17.js was found to be: Known bad.
Malicious Activity Summary
Formbook
Vjw0rm
Formbook payload
Executes dropped EXE
Blocklisted process makes network request
Downloads MZ/PE file
Checks computer location settings
Reads user/profile data of web browsers
Drops startup file
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious behavior: MapViewOfSection
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-08-17 06:30
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-08-17 06:30
Reported
2022-08-17 06:32
Platform
win7-20220812-en
Max time kernel
151s
Max time network
152s
Command Line
Signatures
Formbook
Vjw0rm
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPaotlcvgR.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPaotlcvgR.js | C:\Windows\System32\wscript.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1580 set thread context of 1220 | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | C:\Windows\Explorer.EXE |
| PID 1592 set thread context of 1220 | N/A | C:\Windows\SysWOW64\wscript.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\wscript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\TRANSFERENCIA 112987.17.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VPaotlcvgR.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js"
C:\Users\Admin\AppData\Local\Temp\bin.exe
"C:\Users\Admin\AppData\Local\Temp\bin.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | kodencherycollege.ac.in | udp |
| SG | 148.66.137.120:443 | kodencherycollege.ac.in | tcp |
| US | 8.8.8.8:53 | macjoe597.duia.ro | udp |
| US | 8.8.8.8:53 | macjoe597.duia.ro | udp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| SG | 148.66.137.120:443 | kodencherycollege.ac.in | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| SG | 148.66.137.120:443 | kodencherycollege.ac.in | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| US | 8.8.8.8:53 | www.decazafatas.com | udp |
| VN | 103.167.196.150:80 | www.decazafatas.com | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| VN | 103.167.196.150:80 | www.decazafatas.com | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| US | 8.8.8.8:53 | www.integration.cfd | udp |
| US | 8.8.8.8:53 | www.integration.cfd | udp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| US | 8.8.8.8:53 | www.desireedaniels.team | udp |
| US | 34.102.136.180:80 | www.desireedaniels.team | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| US | 34.102.136.180:80 | www.desireedaniels.team | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| US | 8.8.8.8:53 | www.specialthing.store | udp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | tcp |
Files
memory/748-54-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\VPaotlcvgR.js
| MD5 | 8c05239516dbd3fd5501fa9a1eba063b |
| SHA1 | cd983650af2353da97dd908f7027339e622ce819 |
| SHA256 | 56226c2bbb8ba4586aea45ea618d7aa574280225036b22ac6e57aa907860c547 |
| SHA512 | 8affbe22f0bc64aa685a5c38fbba0f9f43df726aa40392ad1b39792ceb15616bf2f6371b192fb7e4b492a44b953a8068ff82003d2bc51acb99d1aaee51d257d7 |
memory/912-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js
| MD5 | a542a21ecaba36f6ba8c6457b8ab67f9 |
| SHA1 | 3f05ddc6d6e59554cd9870b9e4b17919b81eaa6c |
| SHA256 | bc831f27e6da7b5e82be628a1564c8b6aee02ec9290c5d21f99733dd2d1db47b |
| SHA512 | 78ca13a83bbd029470978b1e465ee6b0c2a9345a1fe8ee3e86d9f1d48bd52b7927a16e607f71084a91706213d8ddc0293ed06a1927e478b9bbc21ab0b47b9a2a |
memory/912-58-0x000007FEFB881000-0x000007FEFB883000-memory.dmp
memory/1580-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\bin.exe
| MD5 | 7578ec3deb440e8bffbc0eb52766fb3c |
| SHA1 | 8e33631cb47203bdae3fc2f2b0b0b3670de1335e |
| SHA256 | 252ce128d1491da94eb7936517f807a53e0b93bb2b7caacd981e0d51a8febd36 |
| SHA512 | 9e3c04191330cf6a076bf5a82c8ae43afb7fe54bb136fe68ce9a412b3c02aa4e85dec89933d056ecf09f3e9a28d3cbdbe1912478e7bc0a7d68cd21806abc2276 |
memory/1580-61-0x0000000000740000-0x0000000000A43000-memory.dmp
memory/1580-62-0x0000000000180000-0x0000000000194000-memory.dmp
memory/1220-63-0x0000000007550000-0x00000000076C5000-memory.dmp
memory/1592-64-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\bin.exe
| MD5 | 7578ec3deb440e8bffbc0eb52766fb3c |
| SHA1 | 8e33631cb47203bdae3fc2f2b0b0b3670de1335e |
| SHA256 | 252ce128d1491da94eb7936517f807a53e0b93bb2b7caacd981e0d51a8febd36 |
| SHA512 | 9e3c04191330cf6a076bf5a82c8ae43afb7fe54bb136fe68ce9a412b3c02aa4e85dec89933d056ecf09f3e9a28d3cbdbe1912478e7bc0a7d68cd21806abc2276 |
memory/1592-66-0x0000000000420000-0x0000000000446000-memory.dmp
memory/1592-67-0x0000000001E60000-0x0000000002163000-memory.dmp
memory/1592-68-0x0000000000170000-0x000000000019F000-memory.dmp
memory/1592-69-0x0000000075A11000-0x0000000075A13000-memory.dmp
memory/1592-70-0x0000000001CC0000-0x0000000001D53000-memory.dmp
memory/1220-71-0x0000000004DC0000-0x0000000004EAA000-memory.dmp
memory/1592-72-0x0000000001CC0000-0x0000000001D53000-memory.dmp
memory/1220-73-0x0000000004DC0000-0x0000000004EAA000-memory.dmp
C:\Users\Admin\AppData\Roaming\2N0MC23V\2N0logri.ini
| MD5 | d63a82e5d81e02e399090af26db0b9cb |
| SHA1 | 91d0014c8f54743bba141fd60c9d963f869d76c9 |
| SHA256 | eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae |
| SHA512 | 38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad |
C:\Users\Admin\AppData\Roaming\2N0MC23V\2N0logrf.ini
| MD5 | 2f245469795b865bdd1b956c23d7893d |
| SHA1 | 6ad80b974d3808f5a20ea1e766c7d2f88b9e5895 |
| SHA256 | 1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361 |
| SHA512 | 909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f |
C:\Users\Admin\AppData\Roaming\2N0MC23V\2N0logim.jpeg
| MD5 | 586cfe5292bc68cbea4733842d690714 |
| SHA1 | b69c82df750ad29620915f81c51ca2d2d26fca2b |
| SHA256 | 8fa13955a82bd027e4e684047b8db4ff1857654dc436d748a2f593615d390ce8 |
| SHA512 | 5c77b84bf0641834f8247a3f2356c5f9dcc4f9e691e5eda5fa33d1583149efbcd54670c368f49c54db3b6c4c99fed0329a3bc1ecc87e056720e044b272c9ae74 |
C:\Users\Admin\AppData\Roaming\2N0MC23V\2N0logrv.ini
| MD5 | ba3b6bc807d4f76794c4b81b09bb9ba5 |
| SHA1 | 24cb89501f0212ff3095ecc0aba97dd563718fb1 |
| SHA256 | 6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507 |
| SHA512 | ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf |
Analysis: behavioral2
Detonation Overview
Submitted
2022-08-17 06:30
Reported
2022-08-17 06:32
Platform
win10v2004-20220812-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Formbook
Vjw0rm
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPaotlcvgR.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VPaotlcvgR.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js | C:\Windows\System32\wscript.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4156 set thread context of 740 | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | C:\Windows\Explorer.EXE |
| PID 32 set thread context of 740 | N/A | C:\Windows\SysWOW64\help.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\help.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47BEABC922EAE80E78783462A79F45C254FDE68B\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b000000010000005200000047006f00200044006100640064007900200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790020001320200047003200000053000000010000002500000030233021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c062000000010000002000000045140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda1400000001000000140000003a9a8507106728b6eff6bd05416e20c194da0fde1d000000010000001000000070253fbcbde32a014d38c1993098ad9903000000010000001400000047beabc922eae80e78783462a79f45c254fde68b2000000001000000c9030000308203c5308202ada003020102020100300d06092a864886f70d01010b0500308183310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e3131302f06035504031328476f20446164647920526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a308183310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e3131302f06035504031328476f20446164647920526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bf716208f1fa5934f71bc918a3f7804958e9228313a6c52043013b84f1e685499f27eaf6841b4ea0b4db7098c73201b1053e074eeef4fa4f2f593022e7ab19566be28007fcf316758039517be5f935b6744ea98d8213e4b63fa90383faa2be8a156a7fde0bc3b6191405caeac3a804943b467c320df3006622c88d696d368c1118b7d3b21c60b438fa028cced3dd4607de0a3eeb5d7cc87cfbb02b53a4926269512505611a44818c2ca9439623dfac3a819a0e29c51ca9e95d1eb69e9e300a39cef18880fb4b5dcc32ec85624325340256270191b43b702a3f6eb1e89c88017d9fd4f9db536d609dbf2ce758abb85f46fccec41b033c09eb49315c6946b3e0470203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604143a9a8507106728b6eff6bd05416e20c194da0fde300d06092a864886f70d01010b0500038201010099db5d79d5f99759670361f17e3b0631752da1208e4f6587b4f7a69cbcd8e92fd0db5aeecf748c73b43842da057bf80275b8fda5b1d7aef6d7de13cb53107e8a46d197fab72e2b11ab90b02780f9e89f5ae9379fabe4df6cb385179d3dd9244f799135d65f04eb8083ab9a022db510f4d890c7047340ed7225a0a99fec9eab68129957c68f123a09a4bd44fd061537c19be432a3ed38e8d864f32c7e14fc02ea9fcdff076817db2290382d7a8dd154f169e35f33ca7a3d7b0ae3ca7f5f39e5e275bac5761833ce2cf02f4cadf7b1e7ce4fa8c49b4a5406c57f7dd5080fe21cfe7e17b8ac5ef6d416b243090c4df6a76bb4998465ca7a88e2e244be5cf7ea1cf5 | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47BEABC922EAE80E78783462A79F45C254FDE68B | C:\Windows\system32\wscript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\TRANSFERENCIA 112987.17.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VPaotlcvgR.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js"
C:\Users\Admin\AppData\Local\Temp\bin.exe
"C:\Users\Admin\AppData\Local\Temp\bin.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.253.208.113:80 | tcp | |
| US | 8.253.208.113:80 | tcp | |
| US | 8.8.8.8:53 | kodencherycollege.ac.in | udp |
| SG | 148.66.137.120:443 | kodencherycollege.ac.in | tcp |
| US | 8.8.8.8:53 | macjoe597.duia.ro | udp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| US | 8.8.8.8:53 | crl.godaddy.com | udp |
| US | 192.124.249.31:80 | crl.godaddy.com | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| US | 93.184.220.29:80 | tcp | |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| US | 8.253.208.113:80 | tcp | |
| US | 8.253.208.113:80 | tcp | |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| US | 8.253.208.113:80 | tcp | |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| NL | 104.80.225.205:443 | tcp | |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| US | 8.8.8.8:53 | www.oulunmetallipalvelu.com | udp |
| US | 198.54.117.211:80 | www.oulunmetallipalvelu.com | tcp |
| US | 198.54.117.211:80 | www.oulunmetallipalvelu.com | tcp |
| US | 198.54.117.211:80 | www.oulunmetallipalvelu.com | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| US | 8.8.8.8:53 | www.used.systems | udp |
| NO | 185.83.214.222:80 | www.used.systems | tcp |
| NO | 185.83.214.222:80 | www.used.systems | tcp |
| NO | 185.83.214.222:80 | www.used.systems | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| US | 8.8.8.8:53 | www.syjqgg.com | udp |
| HK | 154.221.83.13:80 | www.syjqgg.com | tcp |
| HK | 154.221.83.13:80 | www.syjqgg.com | tcp |
| HK | 154.221.83.13:80 | www.syjqgg.com | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| US | 8.8.8.8:53 | www.integration.cfd | udp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
| CH | 91.192.100.8:8159 | macjoe597.duia.ro | tcp |
Files
memory/4872-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\VPaotlcvgR.js
| MD5 | 8c05239516dbd3fd5501fa9a1eba063b |
| SHA1 | cd983650af2353da97dd908f7027339e622ce819 |
| SHA256 | 56226c2bbb8ba4586aea45ea618d7aa574280225036b22ac6e57aa907860c547 |
| SHA512 | 8affbe22f0bc64aa685a5c38fbba0f9f43df726aa40392ad1b39792ceb15616bf2f6371b192fb7e4b492a44b953a8068ff82003d2bc51acb99d1aaee51d257d7 |
memory/4404-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js
| MD5 | a542a21ecaba36f6ba8c6457b8ab67f9 |
| SHA1 | 3f05ddc6d6e59554cd9870b9e4b17919b81eaa6c |
| SHA256 | bc831f27e6da7b5e82be628a1564c8b6aee02ec9290c5d21f99733dd2d1db47b |
| SHA512 | 78ca13a83bbd029470978b1e465ee6b0c2a9345a1fe8ee3e86d9f1d48bd52b7927a16e607f71084a91706213d8ddc0293ed06a1927e478b9bbc21ab0b47b9a2a |
C:\Users\Admin\AppData\Local\Temp\bin.exe
| MD5 | 7578ec3deb440e8bffbc0eb52766fb3c |
| SHA1 | 8e33631cb47203bdae3fc2f2b0b0b3670de1335e |
| SHA256 | 252ce128d1491da94eb7936517f807a53e0b93bb2b7caacd981e0d51a8febd36 |
| SHA512 | 9e3c04191330cf6a076bf5a82c8ae43afb7fe54bb136fe68ce9a412b3c02aa4e85dec89933d056ecf09f3e9a28d3cbdbe1912478e7bc0a7d68cd21806abc2276 |
memory/4156-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\bin.exe
| MD5 | 7578ec3deb440e8bffbc0eb52766fb3c |
| SHA1 | 8e33631cb47203bdae3fc2f2b0b0b3670de1335e |
| SHA256 | 252ce128d1491da94eb7936517f807a53e0b93bb2b7caacd981e0d51a8febd36 |
| SHA512 | 9e3c04191330cf6a076bf5a82c8ae43afb7fe54bb136fe68ce9a412b3c02aa4e85dec89933d056ecf09f3e9a28d3cbdbe1912478e7bc0a7d68cd21806abc2276 |
memory/4156-139-0x0000000001780000-0x0000000001ACA000-memory.dmp
memory/4156-140-0x0000000001AD0000-0x0000000001AE4000-memory.dmp
memory/740-141-0x0000000008AF0000-0x0000000008C49000-memory.dmp
memory/32-142-0x0000000000000000-mapping.dmp
memory/32-143-0x00000000016B0000-0x00000000019FA000-memory.dmp
memory/32-145-0x0000000000D70000-0x0000000000D9F000-memory.dmp
memory/32-144-0x0000000000CE0000-0x0000000000CE7000-memory.dmp
memory/3552-146-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DB1
| MD5 | b608d407fc15adea97c26936bc6f03f6 |
| SHA1 | 953e7420801c76393902c0d6bb56148947e41571 |
| SHA256 | b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf |
| SHA512 | cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4 |
memory/32-148-0x00000000014F0000-0x0000000001583000-memory.dmp
memory/740-149-0x0000000008C50000-0x0000000008DAD000-memory.dmp
memory/740-150-0x0000000008C50000-0x0000000008DAD000-memory.dmp
C:\Users\Admin\AppData\Roaming\2N0MC23V\2N0logri.ini
| MD5 | d63a82e5d81e02e399090af26db0b9cb |
| SHA1 | 91d0014c8f54743bba141fd60c9d963f869d76c9 |
| SHA256 | eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae |
| SHA512 | 38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad |
C:\Users\Admin\AppData\Roaming\2N0MC23V\2N0logrf.ini
| MD5 | 2f245469795b865bdd1b956c23d7893d |
| SHA1 | 6ad80b974d3808f5a20ea1e766c7d2f88b9e5895 |
| SHA256 | 1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361 |
| SHA512 | 909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f |
C:\Users\Admin\AppData\Roaming\2N0MC23V\2N0logim.jpeg
| MD5 | fb0ab1cf6a8dc40d8cfa54f9d16542e3 |
| SHA1 | cd889a091d69352a30b79eb47f62cd9ad0b8982d |
| SHA256 | d3704ed9be145f48811b12d645bd5489508644163f6b870ff610bc243c5c0e84 |
| SHA512 | 7ce8e957e73e1f725cf7168ce443e5387fa1e56475da0b6d6a4119e6b388ae0955c81719b874c6273475df661af699f552aac0dc6a530592abbb7567c79b1217 |
C:\Users\Admin\AppData\Roaming\2N0MC23V\2N0logrv.ini
| MD5 | bbc41c78bae6c71e63cb544a6a284d94 |
| SHA1 | 33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a |
| SHA256 | ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb |
| SHA512 | 0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4 |
C:\Users\Admin\AppData\Roaming\2N0MC23V\2N0logrg.ini
| MD5 | 4aadf49fed30e4c9b3fe4a3dd6445ebe |
| SHA1 | 1e332822167c6f351b99615eada2c30a538ff037 |
| SHA256 | 75034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56 |
| SHA512 | eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945 |