Malware Analysis Report

2025-05-28 15:55

Sample ID 220922-n5ys1sfbfq
Target Bill_for_September.js
SHA256 4fcdcb3039331525724bfeb0cbc97bd0893de48d4aa4ca95e282f0a8f2a1a5ab
Tags
formbook vjw0rm te2r persistence rat spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4fcdcb3039331525724bfeb0cbc97bd0893de48d4aa4ca95e282f0a8f2a1a5ab

Threat Level: Known bad

The file Bill_for_September.js was found to be: Known bad.

Malicious Activity Summary

formbook vjw0rm te2r persistence rat spyware stealer trojan worm

Vjw0rm

Formbook

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Drops startup file

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-22 11:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-22 11:59

Reported

2022-09-22 12:02

Platform

win7-20220812-en

Max time kernel

150s

Max time network

152s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\Bill_for_September.js

Signatures

Formbook

trojan spyware stealer formbook

Vjw0rm

trojan worm vjw0rm

Downloads MZ/PE file

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OKbZTSiYGW.js C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OKbZTSiYGW.js C:\Windows\System32\WScript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yhttn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Fgnxz\\Yhttn.exe\"" C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1196 set thread context of 1352 N/A C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre7\bin\javaw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 1252 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2020 wrote to memory of 1252 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2020 wrote to memory of 1252 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2020 wrote to memory of 1108 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 2020 wrote to memory of 1108 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 2020 wrote to memory of 1108 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1108 wrote to memory of 1196 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe
PID 1108 wrote to memory of 1196 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe
PID 1108 wrote to memory of 1196 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe
PID 1108 wrote to memory of 1196 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe
PID 1196 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1196 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1196 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1196 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1196 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe
PID 1196 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe
PID 1196 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe
PID 1196 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe
PID 1196 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe
PID 1196 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe
PID 1196 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Bill_for_September.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\OKbZTSiYGW.js"

C:\Program Files\Java\jre7\bin\javaw.exe

"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ykmjni.txt"

C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe

C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==

C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe

C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
US 8.8.8.8:53 jbd231.duckdns.org udp
NL 109.248.150.138:3269 jbd231.duckdns.org tcp
SE 185.29.10.205:80 185.29.10.205 tcp
SE 185.29.10.205:80 185.29.10.205 tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp

Files

memory/2020-54-0x000007FEFC2C1000-0x000007FEFC2C3000-memory.dmp

memory/1252-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\OKbZTSiYGW.js

MD5 cd1e26090eca7148fb0bf3d0a9070791
SHA1 745715f115adbc17ee4f903908cedbf5f33fe305
SHA256 5ccd5f609f1f1c47e835968018ad8efc7dc25c6ab5c6b8212a279ddd494b7196
SHA512 12b6a39cd7e3495c562e8c5a73aeba37e7055d5c4049a1a976a9945609ae7452d0ceb70e9c95432151104cd39991dadc36978ac87c1b09cb09cb53d17f014bdc

memory/1108-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\ykmjni.txt

MD5 f3fec1cda20623152eadff01fa271dd9
SHA1 24b5b9e16d17fa7828b0f2edeaa5aab8ac8bacfb
SHA256 eb5605cc851a689a83c9555f48465ea5d13af94ea8db927e6f8ba32640462efc
SHA512 5895e77dedd7756e98f4484b0ea0bdba348211349eb6483ca002d60d293e58f253028a4b07f6deab2d902cbbcc502cf75ac812ec38c30fd05d7e74d1cc5a8a2f

memory/1108-71-0x0000000002230000-0x0000000005230000-memory.dmp

memory/1108-74-0x0000000000370000-0x000000000037A000-memory.dmp

memory/1108-75-0x0000000000370000-0x000000000037A000-memory.dmp

memory/1196-76-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe

MD5 ca997af70e0e7ba134bd85015d945684
SHA1 0d2972cf028063d8086fc6207537d8d1796993b7
SHA256 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9

C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe

MD5 ca997af70e0e7ba134bd85015d945684
SHA1 0d2972cf028063d8086fc6207537d8d1796993b7
SHA256 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9

memory/1196-79-0x00000000009C0000-0x00000000009C8000-memory.dmp

memory/1196-80-0x00000000756B1000-0x00000000756B3000-memory.dmp

memory/1196-81-0x00000000097F0000-0x00000000098C4000-memory.dmp

memory/1196-82-0x0000000005420000-0x00000000054B2000-memory.dmp

memory/852-83-0x0000000000000000-mapping.dmp

memory/852-85-0x000000006EFF0000-0x000000006F59B000-memory.dmp

memory/1108-86-0x0000000002230000-0x0000000005230000-memory.dmp

memory/1108-87-0x0000000000370000-0x000000000037A000-memory.dmp

memory/852-88-0x000000006EFF0000-0x000000006F59B000-memory.dmp

memory/852-89-0x000000006EFF0000-0x000000006F59B000-memory.dmp

\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe

MD5 ca997af70e0e7ba134bd85015d945684
SHA1 0d2972cf028063d8086fc6207537d8d1796993b7
SHA256 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9

memory/1352-91-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1352-92-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1352-94-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1352-95-0x00000000004012B0-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dl-11941615582555800775452413394.exe

MD5 ca997af70e0e7ba134bd85015d945684
SHA1 0d2972cf028063d8086fc6207537d8d1796993b7
SHA256 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9

memory/1352-99-0x0000000000401000-0x000000000042F000-memory.dmp

memory/1352-98-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1352-100-0x00000000009D0000-0x0000000000CD3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-22 11:59

Reported

2022-09-22 12:02

Platform

win10v2004-20220901-en

Max time kernel

145s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\Bill_for_September.js

Signatures

Formbook

trojan spyware stealer formbook

Vjw0rm

trojan worm vjw0rm

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OKbZTSiYGW.js C:\Windows\System32\WScript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OKbZTSiYGW.js C:\Windows\System32\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yhttn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Fgnxz\\Yhttn.exe\"" C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 432 set thread context of 3472 N/A C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Windows\system32\wscript.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5004 wrote to memory of 3300 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 5004 wrote to memory of 3300 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 5004 wrote to memory of 5076 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
PID 5004 wrote to memory of 5076 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
PID 5076 wrote to memory of 432 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe
PID 5076 wrote to memory of 432 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe
PID 5076 wrote to memory of 432 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe
PID 432 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 432 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 432 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 432 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe
PID 432 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe
PID 432 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe
PID 432 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe
PID 432 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe
PID 432 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Bill_for_September.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\OKbZTSiYGW.js"

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\fqobbsahk.txt"

C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe

C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==

C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe

C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
US 8.8.8.8:53 jbd231.duckdns.org udp
NL 109.248.150.138:3269 jbd231.duckdns.org tcp
SE 185.29.10.205:80 185.29.10.205 tcp
SE 185.29.10.205:80 185.29.10.205 tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
US 52.182.141.63:443 tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
FR 2.18.109.224:443 tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
US 93.184.221.240:80 tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp

Files

memory/3300-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\OKbZTSiYGW.js

MD5 cd1e26090eca7148fb0bf3d0a9070791
SHA1 745715f115adbc17ee4f903908cedbf5f33fe305
SHA256 5ccd5f609f1f1c47e835968018ad8efc7dc25c6ab5c6b8212a279ddd494b7196
SHA512 12b6a39cd7e3495c562e8c5a73aeba37e7055d5c4049a1a976a9945609ae7452d0ceb70e9c95432151104cd39991dadc36978ac87c1b09cb09cb53d17f014bdc

memory/5076-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\fqobbsahk.txt

MD5 f3fec1cda20623152eadff01fa271dd9
SHA1 24b5b9e16d17fa7828b0f2edeaa5aab8ac8bacfb
SHA256 eb5605cc851a689a83c9555f48465ea5d13af94ea8db927e6f8ba32640462efc
SHA512 5895e77dedd7756e98f4484b0ea0bdba348211349eb6483ca002d60d293e58f253028a4b07f6deab2d902cbbcc502cf75ac812ec38c30fd05d7e74d1cc5a8a2f

memory/5076-145-0x0000000002DE0000-0x0000000003DE0000-memory.dmp

memory/432-148-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe

MD5 ca997af70e0e7ba134bd85015d945684
SHA1 0d2972cf028063d8086fc6207537d8d1796993b7
SHA256 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9

C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe

MD5 ca997af70e0e7ba134bd85015d945684
SHA1 0d2972cf028063d8086fc6207537d8d1796993b7
SHA256 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9

memory/432-151-0x0000000000230000-0x0000000000238000-memory.dmp

memory/5076-152-0x0000000002DE0000-0x0000000003DE0000-memory.dmp

memory/5076-153-0x0000000002DE0000-0x0000000003DE0000-memory.dmp

memory/432-154-0x00000000094E0000-0x0000000009502000-memory.dmp

memory/5068-155-0x0000000000000000-mapping.dmp

memory/5068-156-0x0000000002C70000-0x0000000002CA6000-memory.dmp

memory/5068-157-0x0000000005800000-0x0000000005E28000-memory.dmp

memory/5068-158-0x0000000005E30000-0x0000000005E96000-memory.dmp

memory/5068-159-0x0000000005F10000-0x0000000005F76000-memory.dmp

memory/5068-160-0x00000000065A0000-0x00000000065BE000-memory.dmp

memory/5068-161-0x0000000007DF0000-0x000000000846A000-memory.dmp

memory/5068-162-0x0000000006A90000-0x0000000006AAA000-memory.dmp

memory/5076-163-0x0000000002DE0000-0x0000000003DE0000-memory.dmp

memory/5076-164-0x0000000002DE0000-0x0000000003DE0000-memory.dmp

memory/3472-166-0x0000000000000000-mapping.dmp

memory/3472-167-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dl12834470169017282922439687978.exe

MD5 ca997af70e0e7ba134bd85015d945684
SHA1 0d2972cf028063d8086fc6207537d8d1796993b7
SHA256 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9

memory/3472-170-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3472-171-0x0000000000401000-0x000000000042F000-memory.dmp

memory/3472-172-0x00000000018C0000-0x0000000001C0A000-memory.dmp

memory/5076-173-0x0000000002DE0000-0x0000000003DE0000-memory.dmp

memory/5076-174-0x0000000002DE0000-0x0000000003DE0000-memory.dmp