Malware Analysis Report

2025-05-05 21:52

Sample ID 221012-ql9saadeh5
Target 9f40a90db5c7da1cc2ced7e23df53ec3.com.exe
SHA256 2e37d7372a97df9e3955837eeae856489541aab815dffabc00bbc72af6483e9b
Tags
vjw0rm persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2e37d7372a97df9e3955837eeae856489541aab815dffabc00bbc72af6483e9b

Threat Level: Known bad

The file 9f40a90db5c7da1cc2ced7e23df53ec3.com.exe was found to be: Known bad.

Malicious Activity Summary

vjw0rm persistence trojan worm

Vjw0rm

Executes dropped EXE

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-12 13:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-12 13:22

Reported

2022-10-12 13:24

Platform

win7-20220901-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f40a90db5c7da1cc2ced7e23df53ec3.com.exe"

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rfil.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rfil.js C:\Windows\SysWOW64\WScript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "0\\4_87\\kkuai.exe 0\\4_87\\fwfinco.apb" C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1372 set thread context of 1468 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1600 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\9f40a90db5c7da1cc2ced7e23df53ec3.com.exe C:\Windows\SysWOW64\WScript.exe
PID 1600 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\9f40a90db5c7da1cc2ced7e23df53ec3.com.exe C:\Windows\SysWOW64\WScript.exe
PID 1600 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\9f40a90db5c7da1cc2ced7e23df53ec3.com.exe C:\Windows\SysWOW64\WScript.exe
PID 1600 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\9f40a90db5c7da1cc2ced7e23df53ec3.com.exe C:\Windows\SysWOW64\WScript.exe
PID 1600 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\9f40a90db5c7da1cc2ced7e23df53ec3.com.exe C:\Windows\SysWOW64\WScript.exe
PID 1600 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\9f40a90db5c7da1cc2ced7e23df53ec3.com.exe C:\Windows\SysWOW64\WScript.exe
PID 1600 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\9f40a90db5c7da1cc2ced7e23df53ec3.com.exe C:\Windows\SysWOW64\WScript.exe
PID 1600 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\9f40a90db5c7da1cc2ced7e23df53ec3.com.exe C:\Windows\SysWOW64\WScript.exe
PID 1792 wrote to memory of 1372 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe
PID 1792 wrote to memory of 1372 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe
PID 1792 wrote to memory of 1372 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe
PID 1792 wrote to memory of 1372 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe
PID 1372 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 1372 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 1372 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 1372 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 1372 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 1372 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 1372 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 1372 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 1372 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 1372 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 1372 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 1372 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 1372 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 1372 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 1372 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 1372 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 1372 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 1372 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 1372 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 1372 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 1372 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 1372 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 1372 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 1372 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 1372 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 1372 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 1372 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 1372 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 1372 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1372 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1372 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1372 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1372 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1372 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1372 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1372 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1372 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1372 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1372 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1372 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1372 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1372 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1372 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1372 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1372 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1372 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1372 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9f40a90db5c7da1cc2ced7e23df53ec3.com.exe

"C:\Users\Admin\AppData\Local\Temp\9f40a90db5c7da1cc2ced7e23df53ec3.com.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\4_87\rfil.js" Paul E. Patton (born May 26, 1937) is an American politician who served as the 59th governor of Kentucky from 1995 to 2003.

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\4_87\xrqxkro.vbe"

C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe

"C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe" fwfinco.apb

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
CN 129.204.138.203:7974 129.204.138.203 tcp

Files

memory/1600-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

memory/1332-55-0x0000000000000000-mapping.dmp

memory/1792-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\temp\4_87\xrqxkro.vbe

MD5 71e60ffa129c1759de7d21cda151dc4e
SHA1 7a727197a54b055d06180b398ce1a196ffd5ffe6
SHA256 26a2dee2267cbd8d019524d2045dda3f0cec89e73d56ba3d2cf2fef9187cb55a
SHA512 bf9ca1b82cbff005357fba82b97c4d0494f4b268b1751639f486a936297e5fa49707d545e3471ef61c4153f6cdd796c344d564f6251de87ac8f499b1002ed3e0

C:\Users\Admin\AppData\Local\temp\4_87\rfil.js

MD5 6c705c7ee0ce269b3e6eb770b797e808
SHA1 e8c6540e4dbb6a464e1f0c2c59cab161f44a8705
SHA256 dbd1b9421d8634cc2af6ae9c4fe72891bd3139527730185d2e28afe0447b4e2e
SHA512 0999401d3218986eac63b8e449a572cdd5aec382fac11a6aa86b6a4035107b75343f6f005d506322c0a0e853c7566cf49078991d93cadfab1e80fad8ed1d93e2

C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe

MD5 b153044cf36a027e19eb94b06003f09c
SHA1 9c5137654c78d249b318d7612a4d3dd2710c3aea
SHA256 cbcdc1eecb091c7e3418706dd0aafaca9018474150f73d2d4b1cc55595dcf550
SHA512 ef301b7c23b5012909e6b2a48d7bffbfc122e6c18180b66bd7ac16c8e9a27f3eff6b7cbab8a997857e6d101f8275ca87ba30d153fecb62e630aad14d923d7b96

\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe

MD5 b153044cf36a027e19eb94b06003f09c
SHA1 9c5137654c78d249b318d7612a4d3dd2710c3aea
SHA256 cbcdc1eecb091c7e3418706dd0aafaca9018474150f73d2d4b1cc55595dcf550
SHA512 ef301b7c23b5012909e6b2a48d7bffbfc122e6c18180b66bd7ac16c8e9a27f3eff6b7cbab8a997857e6d101f8275ca87ba30d153fecb62e630aad14d923d7b96

memory/1372-63-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe

MD5 b153044cf36a027e19eb94b06003f09c
SHA1 9c5137654c78d249b318d7612a4d3dd2710c3aea
SHA256 cbcdc1eecb091c7e3418706dd0aafaca9018474150f73d2d4b1cc55595dcf550
SHA512 ef301b7c23b5012909e6b2a48d7bffbfc122e6c18180b66bd7ac16c8e9a27f3eff6b7cbab8a997857e6d101f8275ca87ba30d153fecb62e630aad14d923d7b96

C:\Users\Admin\AppData\Local\Temp\4_87\fwfinco.apb

MD5 87bbebf030409ffb724c09365e4d094c
SHA1 dcec2d7a6ff6de98f1760454b1c1c67abeac0da3
SHA256 29808fb1137203fc1b0a840e60876da3d8c3ddf9b21869310b2caa221e64ba24
SHA512 1a5005e44bf12b4e83e77ee5479a413643813ac0aef3ee906693d08c1a4439949931270be996beda5052fc5c2d01a22852224e19b00462cb086b361082a08f6a

C:\Users\Admin\AppData\Local\Temp\4_87\ieeoonj.ppt

MD5 6eab883507b80a10c54c5c90706826c8
SHA1 fd9813bfd24992485b5133d5d68025dd3d0cdf46
SHA256 907be50f2e3548c8ac9f4945c05ce4e74ea8f246c51378e097e10837d0331b43
SHA512 88bfda7bebe18d4c2faeeedf366c781259e1537f74d7f5d0251f9364807fd945faadff2c56dbeffd5dec8b89723cba736a5538eeaeaee8b511bfd3d5b93ee2c1

memory/1096-68-0x0000000000000000-mapping.dmp

memory/1360-69-0x0000000000000000-mapping.dmp

memory/1536-70-0x0000000000000000-mapping.dmp

memory/1820-71-0x0000000000000000-mapping.dmp

memory/284-72-0x0000000000000000-mapping.dmp

memory/796-73-0x0000000000000000-mapping.dmp

memory/908-74-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\4_87\epueaee.qsa

MD5 097b77b3288ee474492dc94a6cb43a15
SHA1 742d0e529289b837f512055a4e448fb17cad7656
SHA256 db326b548a3e1a2a05539881a054b6f9c0ba302d945480564df3cf77fe96ebb1
SHA512 e738ca448b7e83e822803b5bd22ae222584ae46ee67e7ac60189a23af36c42515c1122d5e10b7145db6aee97b110d4882794ee6877a43eb502239d68fa076dab

memory/1468-76-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1468-77-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1468-79-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1468-82-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1468-83-0x0000000000402EE8-mapping.dmp

memory/1468-85-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1468-88-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1468-89-0x0000000000400000-0x0000000000468000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-12 13:22

Reported

2022-10-12 13:24

Platform

win10v2004-20220812-en

Max time kernel

151s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f40a90db5c7da1cc2ced7e23df53ec3.com.exe"

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9f40a90db5c7da1cc2ced7e23df53ec3.com.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rfil.js C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rfil.js C:\Windows\SysWOW64\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "0\\4_87\\kkuai.exe 0\\4_87\\fwfinco.apb" C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4904 set thread context of 4824 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\9f40a90db5c7da1cc2ced7e23df53ec3.com.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2200 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\9f40a90db5c7da1cc2ced7e23df53ec3.com.exe C:\Windows\SysWOW64\WScript.exe
PID 2200 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\9f40a90db5c7da1cc2ced7e23df53ec3.com.exe C:\Windows\SysWOW64\WScript.exe
PID 2200 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\9f40a90db5c7da1cc2ced7e23df53ec3.com.exe C:\Windows\SysWOW64\WScript.exe
PID 2200 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\9f40a90db5c7da1cc2ced7e23df53ec3.com.exe C:\Windows\SysWOW64\WScript.exe
PID 2200 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\9f40a90db5c7da1cc2ced7e23df53ec3.com.exe C:\Windows\SysWOW64\WScript.exe
PID 2200 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\9f40a90db5c7da1cc2ced7e23df53ec3.com.exe C:\Windows\SysWOW64\WScript.exe
PID 2184 wrote to memory of 4904 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe
PID 2184 wrote to memory of 4904 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe
PID 2184 wrote to memory of 4904 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe
PID 4904 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 4904 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 4904 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 4904 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 4904 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 4904 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 4904 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 4904 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 4904 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 4904 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 4904 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 4904 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 4904 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 4904 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 4904 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 4904 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 4904 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 4904 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 4904 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 4904 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 4904 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\SysWOW64\mshta.exe
PID 4904 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4904 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4904 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4904 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4904 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4904 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4904 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4904 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4904 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4904 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4904 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9f40a90db5c7da1cc2ced7e23df53ec3.com.exe

"C:\Users\Admin\AppData\Local\Temp\9f40a90db5c7da1cc2ced7e23df53ec3.com.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\4_87\rfil.js" Paul E. Patton (born May 26, 1937) is an American politician who served as the 59th governor of Kentucky from 1995 to 2003.

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\4_87\xrqxkro.vbe"

C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe

"C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe" fwfinco.apb

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
CN 129.204.138.203:7974 129.204.138.203 tcp
NL 178.79.208.1:80 tcp

Files

memory/4436-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\temp\4_87\rfil.js

MD5 6c705c7ee0ce269b3e6eb770b797e808
SHA1 e8c6540e4dbb6a464e1f0c2c59cab161f44a8705
SHA256 dbd1b9421d8634cc2af6ae9c4fe72891bd3139527730185d2e28afe0447b4e2e
SHA512 0999401d3218986eac63b8e449a572cdd5aec382fac11a6aa86b6a4035107b75343f6f005d506322c0a0e853c7566cf49078991d93cadfab1e80fad8ed1d93e2

memory/2184-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\temp\4_87\xrqxkro.vbe

MD5 71e60ffa129c1759de7d21cda151dc4e
SHA1 7a727197a54b055d06180b398ce1a196ffd5ffe6
SHA256 26a2dee2267cbd8d019524d2045dda3f0cec89e73d56ba3d2cf2fef9187cb55a
SHA512 bf9ca1b82cbff005357fba82b97c4d0494f4b268b1751639f486a936297e5fa49707d545e3471ef61c4153f6cdd796c344d564f6251de87ac8f499b1002ed3e0

C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe

MD5 b153044cf36a027e19eb94b06003f09c
SHA1 9c5137654c78d249b318d7612a4d3dd2710c3aea
SHA256 cbcdc1eecb091c7e3418706dd0aafaca9018474150f73d2d4b1cc55595dcf550
SHA512 ef301b7c23b5012909e6b2a48d7bffbfc122e6c18180b66bd7ac16c8e9a27f3eff6b7cbab8a997857e6d101f8275ca87ba30d153fecb62e630aad14d923d7b96

memory/4904-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\4_87\kkuai.exe

MD5 b153044cf36a027e19eb94b06003f09c
SHA1 9c5137654c78d249b318d7612a4d3dd2710c3aea
SHA256 cbcdc1eecb091c7e3418706dd0aafaca9018474150f73d2d4b1cc55595dcf550
SHA512 ef301b7c23b5012909e6b2a48d7bffbfc122e6c18180b66bd7ac16c8e9a27f3eff6b7cbab8a997857e6d101f8275ca87ba30d153fecb62e630aad14d923d7b96

C:\Users\Admin\AppData\Local\Temp\4_87\fwfinco.apb

MD5 87bbebf030409ffb724c09365e4d094c
SHA1 dcec2d7a6ff6de98f1760454b1c1c67abeac0da3
SHA256 29808fb1137203fc1b0a840e60876da3d8c3ddf9b21869310b2caa221e64ba24
SHA512 1a5005e44bf12b4e83e77ee5479a413643813ac0aef3ee906693d08c1a4439949931270be996beda5052fc5c2d01a22852224e19b00462cb086b361082a08f6a

C:\Users\Admin\AppData\Local\Temp\4_87\ieeoonj.ppt

MD5 6eab883507b80a10c54c5c90706826c8
SHA1 fd9813bfd24992485b5133d5d68025dd3d0cdf46
SHA256 907be50f2e3548c8ac9f4945c05ce4e74ea8f246c51378e097e10837d0331b43
SHA512 88bfda7bebe18d4c2faeeedf366c781259e1537f74d7f5d0251f9364807fd945faadff2c56dbeffd5dec8b89723cba736a5538eeaeaee8b511bfd3d5b93ee2c1

memory/2256-141-0x0000000000000000-mapping.dmp

memory/1332-142-0x0000000000000000-mapping.dmp

memory/4776-143-0x0000000000000000-mapping.dmp

memory/2300-144-0x0000000000000000-mapping.dmp

memory/3916-145-0x0000000000000000-mapping.dmp

memory/2000-146-0x0000000000000000-mapping.dmp

memory/380-147-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\4_87\epueaee.qsa

MD5 097b77b3288ee474492dc94a6cb43a15
SHA1 742d0e529289b837f512055a4e448fb17cad7656
SHA256 db326b548a3e1a2a05539881a054b6f9c0ba302d945480564df3cf77fe96ebb1
SHA512 e738ca448b7e83e822803b5bd22ae222584ae46ee67e7ac60189a23af36c42515c1122d5e10b7145db6aee97b110d4882794ee6877a43eb502239d68fa076dab

memory/4824-150-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4824-149-0x0000000000000000-mapping.dmp

memory/4824-152-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4824-155-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4824-156-0x0000000000400000-0x0000000000468000-memory.dmp