Malware Analysis Report

2025-05-05 21:52

Sample ID 221018-m8635afed6
Target Foriegn Payment_swift.js
SHA256 819a81aabd1c014d5f27ba2ba1265dce1f667093279565d43f76a5e82d3ed7a9
Tags
formbook vjw0rm xrob rat spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

819a81aabd1c014d5f27ba2ba1265dce1f667093279565d43f76a5e82d3ed7a9

Threat Level: Known bad

The file Foriegn Payment_swift.js was found to be: Known bad.

Malicious Activity Summary

formbook vjw0rm xrob rat spyware stealer trojan worm

Vjw0rm

Formbook

Executes dropped EXE

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-18 11:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-18 11:09

Reported

2022-10-18 11:11

Platform

win7-20220901-en

Max time kernel

150s

Max time network

154s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bin.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdnTARLxlP.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdnTARLxlP.js C:\Windows\System32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1320 set thread context of 1208 N/A C:\Users\Admin\AppData\Local\Temp\bin.exe C:\Windows\Explorer.EXE
PID 1692 set thread context of 1208 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\wscript.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wscript.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1264 wrote to memory of 1992 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1264 wrote to memory of 1992 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1264 wrote to memory of 1992 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1264 wrote to memory of 1320 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\bin.exe
PID 1264 wrote to memory of 1320 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\bin.exe
PID 1264 wrote to memory of 1320 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\bin.exe
PID 1264 wrote to memory of 1320 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\bin.exe
PID 1208 wrote to memory of 1692 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wscript.exe
PID 1208 wrote to memory of 1692 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wscript.exe
PID 1208 wrote to memory of 1692 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wscript.exe
PID 1208 wrote to memory of 1692 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wscript.exe
PID 1692 wrote to memory of 1200 N/A C:\Windows\SysWOW64\wscript.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1692 wrote to memory of 1200 N/A C:\Windows\SysWOW64\wscript.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1692 wrote to memory of 1200 N/A C:\Windows\SysWOW64\wscript.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1692 wrote to memory of 1200 N/A C:\Windows\SysWOW64\wscript.exe C:\Program Files\Mozilla Firefox\Firefox.exe
PID 1692 wrote to memory of 1200 N/A C:\Windows\SysWOW64\wscript.exe C:\Program Files\Mozilla Firefox\Firefox.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Foriegn Payment_swift.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\fdnTARLxlP.js"

C:\Users\Admin\AppData\Local\Temp\bin.exe

"C:\Users\Admin\AppData\Local\Temp\bin.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\SysWOW64\wscript.exe"

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
NG 154.120.121.141:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 www.shendaxian.com udp
HK 164.88.110.29:80 www.shendaxian.com tcp
US 8.8.8.8:53 www.sqlite.org udp
US 45.33.6.223:80 www.sqlite.org tcp
US 45.33.6.223:80 www.sqlite.org tcp
NG 154.120.121.141:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 www.entacaoagencia.com udp
US 162.0.213.190:80 www.entacaoagencia.com tcp
US 162.0.213.190:80 www.entacaoagencia.com tcp
US 8.8.8.8:53 www.hudsonbreadcafe.com udp
US 199.59.243.222:80 www.hudsonbreadcafe.com tcp
US 199.59.243.222:80 www.hudsonbreadcafe.com tcp
US 8.8.8.8:53 www.pauloeamanda.com udp
US 54.85.86.211:80 www.pauloeamanda.com tcp
US 54.85.86.211:80 www.pauloeamanda.com tcp
US 8.8.8.8:53 www.emu-o.com udp
JP 150.95.59.24:80 www.emu-o.com tcp
NG 154.120.121.141:5465 javaautorun.duia.ro tcp
JP 150.95.59.24:80 www.emu-o.com tcp
US 8.8.8.8:53 www.eyecandybeautysalon.com udp
US 151.101.1.211:80 www.eyecandybeautysalon.com tcp
US 151.101.1.211:80 www.eyecandybeautysalon.com tcp
US 8.8.8.8:53 www.lisakykozla.xyz udp
GB 109.123.121.243:80 www.lisakykozla.xyz tcp
GB 109.123.121.243:80 www.lisakykozla.xyz tcp
US 8.8.8.8:53 www.fansfulig.com udp
HK 8.212.24.67:80 www.fansfulig.com tcp
NG 154.120.121.141:5465 javaautorun.duia.ro tcp
HK 8.212.24.67:80 www.fansfulig.com tcp
US 8.8.8.8:53 www.hdfilmizleburada.com udp
HK 156.241.79.221:80 www.hdfilmizleburada.com tcp
HK 156.241.79.221:80 www.hdfilmizleburada.com tcp
US 8.8.8.8:53 www.performance-trader.com udp
DE 81.169.145.93:80 www.performance-trader.com tcp
DE 81.169.145.93:80 www.performance-trader.com tcp
US 8.8.8.8:53 www.citizenlab.tech udp
VN 103.130.216.151:80 www.citizenlab.tech tcp
NG 154.120.121.141:5465 javaautorun.duia.ro tcp
VN 103.130.216.151:80 www.citizenlab.tech tcp
US 8.8.8.8:53 www.caffe-italia1990.store udp
IT 195.110.124.133:80 www.caffe-italia1990.store tcp
IT 195.110.124.133:80 www.caffe-italia1990.store tcp
US 8.8.8.8:53 www.alshahira.app udp
US 99.198.107.166:80 www.alshahira.app tcp
US 99.198.107.166:80 www.alshahira.app tcp

Files

memory/1264-54-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

memory/1992-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\fdnTARLxlP.js

MD5 6cc1717cad794e25164a2ba358fa22d3
SHA1 c8fd430bcb92ff060a85ca4fd7a2b829b069a234
SHA256 8d17a84d7c1174928e0365e78288e2356c0d99f2194ebb2f4634333d80fc24c9
SHA512 2db6675ca2c685b4d7823714bc6b9474184a20b9733d160bf83c88bad419427151c80607fd1c05cc6152fa6d4c30d6204442d6b446421012db34aa0eb7ff7364

C:\Users\Admin\AppData\Local\Temp\bin.exe

MD5 26db0806c0871f293a77e5d5676e2fd8
SHA1 7c17ccce454d81bb999c04d45e9e4913969a73ee
SHA256 2c623f8e02e0aef43501e320fd20a3b407dcf35676e6620574bf7e8ce4844e66
SHA512 0dac19dab4827a036a4e42371807639a4c378b440c3edc9ae30171cfb62a894243dc55ad5145434fac384aa37dd32381d148757e35c08300bbfe45c4cb85c09f

memory/1320-57-0x0000000000000000-mapping.dmp

memory/1320-60-0x0000000000BC0000-0x0000000000BEF000-memory.dmp

memory/1320-61-0x00000000007C0000-0x0000000000AC3000-memory.dmp

memory/1320-62-0x0000000000110000-0x0000000000120000-memory.dmp

memory/1208-63-0x0000000004A00000-0x0000000004B23000-memory.dmp

memory/1692-64-0x0000000000000000-mapping.dmp

memory/1692-65-0x0000000000CA0000-0x0000000000CC6000-memory.dmp

memory/1692-66-0x0000000000070000-0x000000000009D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bin.exe

MD5 26db0806c0871f293a77e5d5676e2fd8
SHA1 7c17ccce454d81bb999c04d45e9e4913969a73ee
SHA256 2c623f8e02e0aef43501e320fd20a3b407dcf35676e6620574bf7e8ce4844e66
SHA512 0dac19dab4827a036a4e42371807639a4c378b440c3edc9ae30171cfb62a894243dc55ad5145434fac384aa37dd32381d148757e35c08300bbfe45c4cb85c09f

memory/1692-68-0x00000000020D0000-0x00000000023D3000-memory.dmp

memory/1692-69-0x0000000000560000-0x00000000005EF000-memory.dmp

memory/1208-70-0x00000000064E0000-0x0000000006669000-memory.dmp

memory/1692-71-0x0000000000070000-0x000000000009D000-memory.dmp

memory/1692-72-0x0000000075601000-0x0000000075603000-memory.dmp

\Users\Admin\AppData\Local\Temp\sqlite3.dll

MD5 7fd80b1cc72dc580c02ca4cfbfb2592d
SHA1 18da905af878b27151b359cf1a7d0a650764e8a1
SHA256 1e6dccbdf8527abb53c289da920463b7895300d0d984cc7e91a3ecda4e673190
SHA512 13f7f29b5ed31c551aa5f27742557aa4d026a226087d6fcbca094819759ecc753a2c33b7422ae88dc6a4a0a966edb8485a18e59a0283ba2686cae5d78e0190a3

memory/1208-74-0x00000000064E0000-0x0000000006669000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-18 11:09

Reported

2022-10-18 11:11

Platform

win10v2004-20220812-en

Max time kernel

147s

Max time network

153s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Foriegn Payment_swift.js"

Signatures

Formbook

trojan spyware stealer formbook

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdnTARLxlP.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdnTARLxlP.js C:\Windows\System32\wscript.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2496 set thread context of 2720 N/A C:\Users\Admin\AppData\Local\Temp\bin.exe C:\Windows\Explorer.EXE
PID 4752 set thread context of 2720 N/A C:\Windows\SysWOW64\systray.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\systray.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\systray.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Foriegn Payment_swift.js"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\fdnTARLxlP.js"

C:\Users\Admin\AppData\Local\Temp\bin.exe

"C:\Users\Admin\AppData\Local\Temp\bin.exe"

C:\Windows\SysWOW64\systray.exe

"C:\Windows\SysWOW64\systray.exe"

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 8.8.8.8:53 javaautorun.duia.ro udp
NG 154.120.121.141:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 www.shendaxian.com udp
HK 164.88.110.29:80 www.shendaxian.com tcp
NG 154.120.121.141:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 www.entacaoagencia.com udp
US 162.0.213.190:80 www.entacaoagencia.com tcp
US 162.0.213.190:80 www.entacaoagencia.com tcp
US 162.0.213.190:80 www.entacaoagencia.com tcp
US 162.0.213.190:80 www.entacaoagencia.com tcp
US 8.8.8.8:53 www.hudsonbreadcafe.com udp
US 199.59.243.222:80 www.hudsonbreadcafe.com tcp
US 199.59.243.222:80 www.hudsonbreadcafe.com tcp
US 199.59.243.222:80 www.hudsonbreadcafe.com tcp
US 199.59.243.222:80 www.hudsonbreadcafe.com tcp
US 8.8.8.8:53 www.pauloeamanda.com udp
US 54.85.86.211:80 www.pauloeamanda.com tcp
US 54.85.86.211:80 www.pauloeamanda.com tcp
NG 154.120.121.141:5465 javaautorun.duia.ro tcp
US 54.85.86.211:80 www.pauloeamanda.com tcp
US 54.85.86.211:80 www.pauloeamanda.com tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 www.emu-o.com udp
JP 150.95.59.24:80 www.emu-o.com tcp
JP 150.95.59.24:80 www.emu-o.com tcp
JP 150.95.59.24:80 www.emu-o.com tcp
JP 150.95.59.24:80 www.emu-o.com tcp
US 8.8.8.8:53 www.eyecandybeautysalon.com udp
US 151.101.1.211:80 www.eyecandybeautysalon.com tcp
US 151.101.1.211:80 www.eyecandybeautysalon.com tcp
US 151.101.1.211:80 www.eyecandybeautysalon.com tcp
US 151.101.1.211:80 www.eyecandybeautysalon.com tcp
NG 154.120.121.141:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 www.lisakykozla.xyz udp
GB 109.123.121.243:80 www.lisakykozla.xyz tcp
GB 109.123.121.243:80 www.lisakykozla.xyz tcp
GB 109.123.121.243:80 www.lisakykozla.xyz tcp
GB 109.123.121.243:80 www.lisakykozla.xyz tcp
US 8.8.8.8:53 www.fansfulig.com udp
HK 8.212.24.67:80 www.fansfulig.com tcp
HK 8.212.24.67:80 www.fansfulig.com tcp
HK 8.212.24.67:80 www.fansfulig.com tcp
HK 8.212.24.67:80 www.fansfulig.com tcp
NG 154.120.121.141:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 www.hdfilmizleburada.com udp
HK 156.241.79.221:80 www.hdfilmizleburada.com tcp
HK 156.241.79.221:80 www.hdfilmizleburada.com tcp
HK 156.241.79.221:80 www.hdfilmizleburada.com tcp
HK 156.241.79.221:80 www.hdfilmizleburada.com tcp
US 8.8.8.8:53 www.performance-trader.com udp
DE 81.169.145.93:80 www.performance-trader.com tcp
DE 81.169.145.93:80 www.performance-trader.com tcp
DE 81.169.145.93:80 www.performance-trader.com tcp
DE 81.169.145.93:80 www.performance-trader.com tcp
US 8.8.8.8:53 www.citizenlab.tech udp
VN 103.130.216.151:80 www.citizenlab.tech tcp
VN 103.130.216.151:80 www.citizenlab.tech tcp
NG 154.120.121.141:5465 javaautorun.duia.ro tcp
VN 103.130.216.151:80 www.citizenlab.tech tcp
VN 103.130.216.151:80 www.citizenlab.tech tcp

Files

memory/820-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\fdnTARLxlP.js

MD5 6cc1717cad794e25164a2ba358fa22d3
SHA1 c8fd430bcb92ff060a85ca4fd7a2b829b069a234
SHA256 8d17a84d7c1174928e0365e78288e2356c0d99f2194ebb2f4634333d80fc24c9
SHA512 2db6675ca2c685b4d7823714bc6b9474184a20b9733d160bf83c88bad419427151c80607fd1c05cc6152fa6d4c30d6204442d6b446421012db34aa0eb7ff7364

memory/2496-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\bin.exe

MD5 26db0806c0871f293a77e5d5676e2fd8
SHA1 7c17ccce454d81bb999c04d45e9e4913969a73ee
SHA256 2c623f8e02e0aef43501e320fd20a3b407dcf35676e6620574bf7e8ce4844e66
SHA512 0dac19dab4827a036a4e42371807639a4c378b440c3edc9ae30171cfb62a894243dc55ad5145434fac384aa37dd32381d148757e35c08300bbfe45c4cb85c09f

C:\Users\Admin\AppData\Local\Temp\bin.exe

MD5 26db0806c0871f293a77e5d5676e2fd8
SHA1 7c17ccce454d81bb999c04d45e9e4913969a73ee
SHA256 2c623f8e02e0aef43501e320fd20a3b407dcf35676e6620574bf7e8ce4844e66
SHA512 0dac19dab4827a036a4e42371807639a4c378b440c3edc9ae30171cfb62a894243dc55ad5145434fac384aa37dd32381d148757e35c08300bbfe45c4cb85c09f

memory/2496-137-0x0000000000CA0000-0x0000000000CCF000-memory.dmp

memory/2496-138-0x0000000001670000-0x00000000019BA000-memory.dmp

memory/2496-139-0x00000000011D0000-0x00000000011E0000-memory.dmp

memory/2720-140-0x0000000008570000-0x00000000086FF000-memory.dmp

memory/4752-141-0x0000000000000000-mapping.dmp

memory/4752-142-0x0000000000830000-0x0000000000836000-memory.dmp

memory/4752-143-0x00000000008C0000-0x00000000008ED000-memory.dmp

memory/4752-144-0x00000000027B0000-0x0000000002AFA000-memory.dmp

memory/4752-145-0x0000000002600000-0x000000000268F000-memory.dmp

memory/2720-146-0x0000000003140000-0x0000000003244000-memory.dmp

memory/4752-147-0x00000000008C0000-0x00000000008ED000-memory.dmp

memory/2720-148-0x0000000003140000-0x0000000003244000-memory.dmp