Malware Analysis Report

2025-05-05 21:52

Sample ID 221012-qlpgcadeh4
Target Swift_049949_pdf.js
SHA256 4a9a8778e84343f5992bddbfdec6e7d45ca399d1f20a44bcb8eaccd05372f193
Tags
formbook vjw0rm xrob rat spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a9a8778e84343f5992bddbfdec6e7d45ca399d1f20a44bcb8eaccd05372f193

Threat Level: Known bad

The file Swift_049949_pdf.js was found to be: Known bad.

Malicious Activity Summary

formbook vjw0rm xrob rat spyware stealer trojan worm

Formbook

Vjw0rm

Blocklisted process makes network request

Executes dropped EXE

Checks computer location settings

Drops startup file

Loads dropped DLL

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-12 13:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-12 13:21

Reported

2022-10-12 13:23

Platform

win7-20220901-en

Max time kernel

149s

Max time network

153s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bin.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WvtFvwPcPZ.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WvtFvwPcPZ.js C:\Windows\System32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 584 set thread context of 1344 N/A C:\Users\Admin\AppData\Local\Temp\bin.exe C:\Windows\Explorer.EXE
PID 996 set thread context of 1344 N/A C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\Explorer.EXE

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\NAPSTAT.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1444 wrote to memory of 460 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1444 wrote to memory of 460 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1444 wrote to memory of 460 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1444 wrote to memory of 584 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\bin.exe
PID 1444 wrote to memory of 584 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\bin.exe
PID 1444 wrote to memory of 584 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\bin.exe
PID 1444 wrote to memory of 584 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\bin.exe
PID 1344 wrote to memory of 996 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
PID 1344 wrote to memory of 996 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
PID 1344 wrote to memory of 996 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
PID 1344 wrote to memory of 996 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
PID 996 wrote to memory of 972 N/A C:\Windows\SysWOW64\NAPSTAT.EXE C:\Program Files\Mozilla Firefox\Firefox.exe
PID 996 wrote to memory of 972 N/A C:\Windows\SysWOW64\NAPSTAT.EXE C:\Program Files\Mozilla Firefox\Firefox.exe
PID 996 wrote to memory of 972 N/A C:\Windows\SysWOW64\NAPSTAT.EXE C:\Program Files\Mozilla Firefox\Firefox.exe
PID 996 wrote to memory of 972 N/A C:\Windows\SysWOW64\NAPSTAT.EXE C:\Program Files\Mozilla Firefox\Firefox.exe
PID 996 wrote to memory of 972 N/A C:\Windows\SysWOW64\NAPSTAT.EXE C:\Program Files\Mozilla Firefox\Firefox.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Swift_049949_pdf.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\WvtFvwPcPZ.js"

C:\Users\Admin\AppData\Local\Temp\bin.exe

"C:\Users\Admin\AppData\Local\Temp\bin.exe"

C:\Windows\SysWOW64\NAPSTAT.EXE

"C:\Windows\SysWOW64\NAPSTAT.EXE"

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
NG 41.217.29.135:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 www.shendaxian.com udp
HK 164.88.110.29:80 www.shendaxian.com tcp
US 8.8.8.8:53 www.sqlite.org udp
US 45.33.6.223:80 www.sqlite.org tcp
NG 41.217.29.135:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 www.entacaoagencia.com udp
US 162.0.213.190:80 www.entacaoagencia.com tcp
US 162.0.213.190:80 www.entacaoagencia.com tcp
US 8.8.8.8:53 www.hudsonbreadcafe.com udp
US 199.59.243.222:80 www.hudsonbreadcafe.com tcp
US 199.59.243.222:80 www.hudsonbreadcafe.com tcp
US 8.8.8.8:53 www.pauloeamanda.com udp
US 54.85.86.211:80 www.pauloeamanda.com tcp
US 54.85.86.211:80 www.pauloeamanda.com tcp
NG 41.217.29.135:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 www.emu-o.com udp
JP 150.95.59.24:80 www.emu-o.com tcp
JP 150.95.59.24:80 www.emu-o.com tcp
US 8.8.8.8:53 www.eyecandybeautysalon.com udp
US 151.101.1.211:80 www.eyecandybeautysalon.com tcp
US 151.101.1.211:80 www.eyecandybeautysalon.com tcp
US 8.8.8.8:53 www.lisakykozla.xyz udp
GB 109.123.121.243:80 www.lisakykozla.xyz tcp
GB 109.123.121.243:80 www.lisakykozla.xyz tcp
US 8.8.8.8:53 www.fansfulig.com udp
NG 41.217.29.135:5465 javaautorun.duia.ro tcp
HK 8.212.24.67:80 www.fansfulig.com tcp
HK 8.212.24.67:80 www.fansfulig.com tcp
US 8.8.8.8:53 www.hdfilmizleburada.com udp
HK 156.241.79.221:80 www.hdfilmizleburada.com tcp
HK 156.241.79.221:80 www.hdfilmizleburada.com tcp
US 8.8.8.8:53 www.performance-trader.com udp
DE 81.169.145.93:80 www.performance-trader.com tcp
DE 81.169.145.93:80 www.performance-trader.com tcp
US 8.8.8.8:53 www.citizenlab.tech udp
VN 103.130.216.151:80 www.citizenlab.tech tcp
NG 41.217.29.135:5465 javaautorun.duia.ro tcp
VN 103.130.216.151:80 www.citizenlab.tech tcp
US 8.8.8.8:53 www.caffe-italia1990.store udp
IT 195.110.124.133:80 www.caffe-italia1990.store tcp
IT 195.110.124.133:80 www.caffe-italia1990.store tcp
US 8.8.8.8:53 www.alshahira.app udp
US 99.198.107.166:80 www.alshahira.app tcp

Files

memory/1444-54-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

memory/460-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\WvtFvwPcPZ.js

MD5 3589411aa8a0eb5b2130b6f012c5e15e
SHA1 17f11b37cea60cbad8a275b67cbdf4c87fc8f4b9
SHA256 0a9e55b1f39f811950237ab0022fd1540a3d6ce359d1d6305b73d8995b59243b
SHA512 a7a40aee84ef42b35b1f1a8e0e3a7441a8a6779eb1f2e02eb5c43cdae9f168b8829b783f08f8c5be0ebb091437e532cc52bf64dd16b6e67d6e6acb9f7c959395

memory/584-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\bin.exe

MD5 26db0806c0871f293a77e5d5676e2fd8
SHA1 7c17ccce454d81bb999c04d45e9e4913969a73ee
SHA256 2c623f8e02e0aef43501e320fd20a3b407dcf35676e6620574bf7e8ce4844e66
SHA512 0dac19dab4827a036a4e42371807639a4c378b440c3edc9ae30171cfb62a894243dc55ad5145434fac384aa37dd32381d148757e35c08300bbfe45c4cb85c09f

memory/584-60-0x0000000001160000-0x000000000118F000-memory.dmp

memory/584-61-0x00000000008A0000-0x0000000000BA3000-memory.dmp

memory/584-62-0x0000000000070000-0x0000000000080000-memory.dmp

memory/1344-63-0x0000000004BE0000-0x0000000004CA1000-memory.dmp

memory/996-64-0x0000000000000000-mapping.dmp

memory/996-65-0x00000000008B0000-0x00000000008F6000-memory.dmp

memory/996-66-0x0000000000080000-0x00000000000AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bin.exe

MD5 26db0806c0871f293a77e5d5676e2fd8
SHA1 7c17ccce454d81bb999c04d45e9e4913969a73ee
SHA256 2c623f8e02e0aef43501e320fd20a3b407dcf35676e6620574bf7e8ce4844e66
SHA512 0dac19dab4827a036a4e42371807639a4c378b440c3edc9ae30171cfb62a894243dc55ad5145434fac384aa37dd32381d148757e35c08300bbfe45c4cb85c09f

memory/996-68-0x0000000001FD0000-0x00000000022D3000-memory.dmp

memory/996-69-0x0000000001D90000-0x0000000001E1F000-memory.dmp

memory/1344-70-0x00000000071F0000-0x0000000007353000-memory.dmp

memory/996-71-0x0000000000080000-0x00000000000AD000-memory.dmp

memory/996-72-0x0000000075D71000-0x0000000075D73000-memory.dmp

\Users\Admin\AppData\Local\Temp\sqlite3.dll

MD5 87f9e5a6318ac1ec5ee05aa94a919d7a
SHA1 7a9956e8de89603dba99772da29493d3fd0fe37d
SHA256 7705b87603e0d772e1753441001fcf1ac2643ee41bf14a8177de2c056628665c
SHA512 c45c03176142918e34f746711e83384572bd6a8ed0a005600aa4a18cf22eade06c76eda190b37db49ec1971c4649e086affd19eee108c5f405df27c0c8cb23d2

memory/1344-74-0x00000000071F0000-0x0000000007353000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-12 13:21

Reported

2022-10-12 13:23

Platform

win10v2004-20220812-en

Max time kernel

149s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bin.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WvtFvwPcPZ.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WvtFvwPcPZ.js C:\Windows\System32\wscript.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 856 set thread context of 3092 N/A C:\Users\Admin\AppData\Local\Temp\bin.exe C:\Windows\Explorer.EXE
PID 1288 set thread context of 3092 N/A C:\Windows\SysWOW64\wlanext.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\wlanext.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A
N/A N/A C:\Windows\SysWOW64\wlanext.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wlanext.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Swift_049949_pdf.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\WvtFvwPcPZ.js"

C:\Users\Admin\AppData\Local\Temp\bin.exe

"C:\Users\Admin\AppData\Local\Temp\bin.exe"

C:\Windows\SysWOW64\wlanext.exe

"C:\Windows\SysWOW64\wlanext.exe"

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

Network

Country Destination Domain Proto
US 8.252.118.126:80 tcp
US 8.252.118.126:80 tcp
US 8.8.8.8:53 javaautorun.duia.ro udp
NG 41.217.29.135:5465 javaautorun.duia.ro tcp
US 8.252.118.126:80 tcp
US 8.252.118.126:80 tcp
US 8.252.118.126:80 tcp
US 8.8.8.8:53 www.shendaxian.com udp
HK 164.88.110.29:80 www.shendaxian.com tcp
US 8.252.118.126:80 tcp
NG 41.217.29.135:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 www.entacaoagencia.com udp
US 162.0.213.190:80 www.entacaoagencia.com tcp
US 52.152.108.96:443 tcp
US 162.0.213.190:80 www.entacaoagencia.com tcp
US 162.0.213.190:80 www.entacaoagencia.com tcp
US 162.0.213.190:80 www.entacaoagencia.com tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.253.209.121:80 tcp
US 8.8.8.8:53 www.hudsonbreadcafe.com udp
US 199.59.243.222:80 www.hudsonbreadcafe.com tcp
US 199.59.243.222:80 www.hudsonbreadcafe.com tcp
US 8.252.118.126:80 tcp
US 199.59.243.222:80 www.hudsonbreadcafe.com tcp
US 199.59.243.222:80 www.hudsonbreadcafe.com tcp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
US 8.8.8.8:53 www.pauloeamanda.com udp
US 54.85.86.211:80 www.pauloeamanda.com tcp
US 54.85.86.211:80 www.pauloeamanda.com tcp
NG 41.217.29.135:5465 javaautorun.duia.ro tcp
US 54.85.86.211:80 www.pauloeamanda.com tcp
US 54.85.86.211:80 www.pauloeamanda.com tcp
US 8.8.8.8:53 www.emu-o.com udp
JP 150.95.59.24:80 www.emu-o.com tcp
JP 150.95.59.24:80 www.emu-o.com tcp
JP 150.95.59.24:80 www.emu-o.com tcp
JP 150.95.59.24:80 www.emu-o.com tcp
US 8.8.8.8:53 www.eyecandybeautysalon.com udp
US 151.101.1.211:80 www.eyecandybeautysalon.com tcp
US 151.101.1.211:80 www.eyecandybeautysalon.com tcp
US 151.101.1.211:80 www.eyecandybeautysalon.com tcp
US 151.101.1.211:80 www.eyecandybeautysalon.com tcp
NG 41.217.29.135:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 www.lisakykozla.xyz udp
GB 109.123.121.243:80 www.lisakykozla.xyz tcp
GB 109.123.121.243:80 www.lisakykozla.xyz tcp
GB 109.123.121.243:80 www.lisakykozla.xyz tcp
GB 109.123.121.243:80 www.lisakykozla.xyz tcp
US 8.8.8.8:53 www.fansfulig.com udp
HK 8.212.24.67:80 www.fansfulig.com tcp
HK 8.212.24.67:80 www.fansfulig.com tcp
HK 8.212.24.67:80 www.fansfulig.com tcp
HK 8.212.24.67:80 www.fansfulig.com tcp
NG 41.217.29.135:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 www.hdfilmizleburada.com udp
HK 156.241.79.221:80 www.hdfilmizleburada.com tcp
HK 156.241.79.221:80 www.hdfilmizleburada.com tcp
HK 156.241.79.221:80 www.hdfilmizleburada.com tcp
HK 156.241.79.221:80 www.hdfilmizleburada.com tcp
US 8.8.8.8:53 www.performance-trader.com udp
DE 81.169.145.93:80 www.performance-trader.com tcp
DE 81.169.145.93:80 www.performance-trader.com tcp
DE 81.169.145.93:80 www.performance-trader.com tcp
DE 81.169.145.93:80 www.performance-trader.com tcp
US 8.8.8.8:53 www.citizenlab.tech udp
VN 103.130.216.151:80 www.citizenlab.tech tcp
NG 41.217.29.135:5465 javaautorun.duia.ro tcp
VN 103.130.216.151:80 www.citizenlab.tech tcp
VN 103.130.216.151:80 www.citizenlab.tech tcp
VN 103.130.216.151:80 www.citizenlab.tech tcp

Files

memory/2256-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\WvtFvwPcPZ.js

MD5 3589411aa8a0eb5b2130b6f012c5e15e
SHA1 17f11b37cea60cbad8a275b67cbdf4c87fc8f4b9
SHA256 0a9e55b1f39f811950237ab0022fd1540a3d6ce359d1d6305b73d8995b59243b
SHA512 a7a40aee84ef42b35b1f1a8e0e3a7441a8a6779eb1f2e02eb5c43cdae9f168b8829b783f08f8c5be0ebb091437e532cc52bf64dd16b6e67d6e6acb9f7c959395

memory/856-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\bin.exe

MD5 26db0806c0871f293a77e5d5676e2fd8
SHA1 7c17ccce454d81bb999c04d45e9e4913969a73ee
SHA256 2c623f8e02e0aef43501e320fd20a3b407dcf35676e6620574bf7e8ce4844e66
SHA512 0dac19dab4827a036a4e42371807639a4c378b440c3edc9ae30171cfb62a894243dc55ad5145434fac384aa37dd32381d148757e35c08300bbfe45c4cb85c09f

C:\Users\Admin\AppData\Local\Temp\bin.exe

MD5 26db0806c0871f293a77e5d5676e2fd8
SHA1 7c17ccce454d81bb999c04d45e9e4913969a73ee
SHA256 2c623f8e02e0aef43501e320fd20a3b407dcf35676e6620574bf7e8ce4844e66
SHA512 0dac19dab4827a036a4e42371807639a4c378b440c3edc9ae30171cfb62a894243dc55ad5145434fac384aa37dd32381d148757e35c08300bbfe45c4cb85c09f

memory/856-137-0x00000000006B0000-0x00000000006DF000-memory.dmp

memory/856-138-0x00000000014B0000-0x00000000017FA000-memory.dmp

memory/856-139-0x0000000000BD0000-0x0000000000BE0000-memory.dmp

memory/3092-140-0x0000000008260000-0x000000000836C000-memory.dmp

memory/1288-141-0x0000000000000000-mapping.dmp

memory/1288-142-0x0000000000250000-0x0000000000267000-memory.dmp

memory/1288-143-0x0000000000730000-0x000000000075D000-memory.dmp

memory/1288-144-0x0000000001130000-0x000000000147A000-memory.dmp

memory/1288-145-0x0000000000E60000-0x0000000000EEF000-memory.dmp

memory/3092-146-0x0000000008370000-0x00000000084FE000-memory.dmp

memory/1288-147-0x0000000000730000-0x000000000075D000-memory.dmp

memory/3092-148-0x0000000008370000-0x00000000084FE000-memory.dmp