Malware Analysis Report

2025-08-10 22:11

Sample ID 231011-rx9gbsfc44
Target CDE 0915.bz
SHA256 f9e2630c091701b27dd620807655fce9c9db2dd36dfcf382feafd8ef165f0946
Tags
formbook k13s rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f9e2630c091701b27dd620807655fce9c9db2dd36dfcf382feafd8ef165f0946

Threat Level: Known bad

The file CDE 0915.bz was found to be: Known bad.

Malicious Activity Summary

formbook k13s rat spyware stealer trojan

Formbook

Formbook payload

Loads dropped DLL

Executes dropped EXE

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-11 14:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-11 14:35

Reported

2023-10-12 03:54

Platform

win7-20230831-en

Max time kernel

150s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\myyzql.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\myyzql.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CDE 0915.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\myyzql.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3060 set thread context of 2724 N/A C:\Users\Admin\AppData\Local\Temp\myyzql.exe C:\Users\Admin\AppData\Local\Temp\myyzql.exe
PID 2724 set thread context of 1244 N/A C:\Users\Admin\AppData\Local\Temp\myyzql.exe C:\Windows\Explorer.EXE
PID 2724 set thread context of 1244 N/A C:\Users\Admin\AppData\Local\Temp\myyzql.exe C:\Windows\Explorer.EXE
PID 2764 set thread context of 1244 N/A C:\Windows\SysWOW64\systray.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\myyzql.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\systray.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2324 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\CDE 0915.exe C:\Users\Admin\AppData\Local\Temp\myyzql.exe
PID 2324 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\CDE 0915.exe C:\Users\Admin\AppData\Local\Temp\myyzql.exe
PID 2324 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\CDE 0915.exe C:\Users\Admin\AppData\Local\Temp\myyzql.exe
PID 2324 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\CDE 0915.exe C:\Users\Admin\AppData\Local\Temp\myyzql.exe
PID 3060 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\myyzql.exe C:\Users\Admin\AppData\Local\Temp\myyzql.exe
PID 3060 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\myyzql.exe C:\Users\Admin\AppData\Local\Temp\myyzql.exe
PID 3060 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\myyzql.exe C:\Users\Admin\AppData\Local\Temp\myyzql.exe
PID 3060 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\myyzql.exe C:\Users\Admin\AppData\Local\Temp\myyzql.exe
PID 3060 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\myyzql.exe C:\Users\Admin\AppData\Local\Temp\myyzql.exe
PID 2724 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\myyzql.exe C:\Windows\SysWOW64\systray.exe
PID 2724 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\myyzql.exe C:\Windows\SysWOW64\systray.exe
PID 2724 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\myyzql.exe C:\Windows\SysWOW64\systray.exe
PID 2724 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\myyzql.exe C:\Windows\SysWOW64\systray.exe
PID 2764 wrote to memory of 2624 N/A C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 2624 N/A C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 2624 N/A C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 2624 N/A C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\CDE 0915.exe

"C:\Users\Admin\AppData\Local\Temp\CDE 0915.exe"

C:\Users\Admin\AppData\Local\Temp\myyzql.exe

"C:\Users\Admin\AppData\Local\Temp\myyzql.exe"

C:\Users\Admin\AppData\Local\Temp\myyzql.exe

"C:\Users\Admin\AppData\Local\Temp\myyzql.exe"

C:\Windows\SysWOW64\systray.exe

"C:\Windows\SysWOW64\systray.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\myyzql.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.webpanel.cfd udp
US 8.8.8.8:53 www.xxxmovs.world udp
NL 81.171.28.46:80 www.xxxmovs.world tcp
US 8.8.8.8:53 www.ihb4y.com udp
US 8.8.8.8:53 www.hkbnzb36a52z.xyz udp
US 8.8.8.8:53 www.landscapestandard.com udp
US 18.119.154.66:80 www.landscapestandard.com tcp
US 8.8.8.8:53 www.willispeng.com udp
US 34.149.87.45:80 www.willispeng.com tcp

Files

\Users\Admin\AppData\Local\Temp\myyzql.exe

MD5 e460b7d571b50e5950fdd69feebf2357
SHA1 04d5a524e57a760f0bcea873faab604a6364428d
SHA256 c42d7a0eb68618cb608daf7de1233989e9704edbf9f8b09a590ac07c378d9fed
SHA512 444f6a9bb022eee54090c67534de0873f9f0e28850b49aea7163760bff72e34c61d4c840e0bde66d799c3b9f8f92e87ed1dd3f326d4be621ff6f82a3ad522863

C:\Users\Admin\AppData\Local\Temp\myyzql.exe

MD5 e460b7d571b50e5950fdd69feebf2357
SHA1 04d5a524e57a760f0bcea873faab604a6364428d
SHA256 c42d7a0eb68618cb608daf7de1233989e9704edbf9f8b09a590ac07c378d9fed
SHA512 444f6a9bb022eee54090c67534de0873f9f0e28850b49aea7163760bff72e34c61d4c840e0bde66d799c3b9f8f92e87ed1dd3f326d4be621ff6f82a3ad522863

memory/3060-6-0x0000000000090000-0x0000000000092000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eazmqu.yfg

MD5 33b827d4ebc3080d1b326e7335dfdfbe
SHA1 28830e77aa2c9a4b512e20d18734bf03379c81ba
SHA256 e18d141bb79de85f32948f75025263084559780d116f5ddbca8767636b8058d9
SHA512 4a47d359cded2f7c634827d2f39522bd0e4e741579401455aed57cabbefc905bf51566c5216aa7879489f7f234ee8255c5f01e7fcf079a7e6fd4cf27c848fba3

\Users\Admin\AppData\Local\Temp\myyzql.exe

MD5 e460b7d571b50e5950fdd69feebf2357
SHA1 04d5a524e57a760f0bcea873faab604a6364428d
SHA256 c42d7a0eb68618cb608daf7de1233989e9704edbf9f8b09a590ac07c378d9fed
SHA512 444f6a9bb022eee54090c67534de0873f9f0e28850b49aea7163760bff72e34c61d4c840e0bde66d799c3b9f8f92e87ed1dd3f326d4be621ff6f82a3ad522863

C:\Users\Admin\AppData\Local\Temp\myyzql.exe

MD5 e460b7d571b50e5950fdd69feebf2357
SHA1 04d5a524e57a760f0bcea873faab604a6364428d
SHA256 c42d7a0eb68618cb608daf7de1233989e9704edbf9f8b09a590ac07c378d9fed
SHA512 444f6a9bb022eee54090c67534de0873f9f0e28850b49aea7163760bff72e34c61d4c840e0bde66d799c3b9f8f92e87ed1dd3f326d4be621ff6f82a3ad522863

memory/2724-10-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\myyzql.exe

MD5 e460b7d571b50e5950fdd69feebf2357
SHA1 04d5a524e57a760f0bcea873faab604a6364428d
SHA256 c42d7a0eb68618cb608daf7de1233989e9704edbf9f8b09a590ac07c378d9fed
SHA512 444f6a9bb022eee54090c67534de0873f9f0e28850b49aea7163760bff72e34c61d4c840e0bde66d799c3b9f8f92e87ed1dd3f326d4be621ff6f82a3ad522863

memory/2724-13-0x0000000000800000-0x0000000000B03000-memory.dmp

memory/2724-15-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1244-16-0x00000000037E0000-0x00000000038E0000-memory.dmp

memory/2724-17-0x0000000000200000-0x0000000000214000-memory.dmp

memory/1244-18-0x0000000006AE0000-0x0000000006C5E000-memory.dmp

memory/2724-20-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2724-21-0x0000000000350000-0x0000000000364000-memory.dmp

memory/1244-22-0x00000000037E0000-0x00000000038E0000-memory.dmp

memory/1244-23-0x0000000006D50000-0x0000000006EE3000-memory.dmp

memory/2764-24-0x00000000007E0000-0x00000000007E5000-memory.dmp

memory/2764-25-0x00000000007E0000-0x00000000007E5000-memory.dmp

memory/2764-26-0x0000000000080000-0x00000000000AF000-memory.dmp

memory/2764-27-0x0000000001EC0000-0x00000000021C3000-memory.dmp

memory/1244-28-0x0000000006D50000-0x0000000006EE3000-memory.dmp

memory/2764-29-0x0000000000080000-0x00000000000AF000-memory.dmp

memory/2764-30-0x0000000001CF0000-0x0000000001D83000-memory.dmp

memory/1244-31-0x00000000037E0000-0x00000000038E0000-memory.dmp

memory/1244-32-0x0000000003AD0000-0x0000000003BA8000-memory.dmp

memory/1244-34-0x0000000003AD0000-0x0000000003BA8000-memory.dmp

memory/1244-36-0x0000000003AD0000-0x0000000003BA8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-11 14:35

Reported

2023-10-12 03:53

Platform

win10v2004-20230915-en

Max time kernel

150s

Max time network

155s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\myyzql.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\myyzql.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2332 set thread context of 3388 N/A C:\Users\Admin\AppData\Local\Temp\myyzql.exe C:\Users\Admin\AppData\Local\Temp\myyzql.exe
PID 3388 set thread context of 2572 N/A C:\Users\Admin\AppData\Local\Temp\myyzql.exe C:\Windows\Explorer.EXE
PID 2092 set thread context of 2572 N/A C:\Windows\SysWOW64\cscript.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\myyzql.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\myyzql.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\myyzql.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\myyzql.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\myyzql.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\cscript.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 960 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\CDE 0915.exe C:\Users\Admin\AppData\Local\Temp\myyzql.exe
PID 960 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\CDE 0915.exe C:\Users\Admin\AppData\Local\Temp\myyzql.exe
PID 960 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\CDE 0915.exe C:\Users\Admin\AppData\Local\Temp\myyzql.exe
PID 2332 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\myyzql.exe C:\Users\Admin\AppData\Local\Temp\myyzql.exe
PID 2332 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\myyzql.exe C:\Users\Admin\AppData\Local\Temp\myyzql.exe
PID 2332 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\myyzql.exe C:\Users\Admin\AppData\Local\Temp\myyzql.exe
PID 2332 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\myyzql.exe C:\Users\Admin\AppData\Local\Temp\myyzql.exe
PID 2572 wrote to memory of 2092 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cscript.exe
PID 2572 wrote to memory of 2092 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cscript.exe
PID 2572 wrote to memory of 2092 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cscript.exe
PID 2092 wrote to memory of 4612 N/A C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 4612 N/A C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 4612 N/A C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\CDE 0915.exe

"C:\Users\Admin\AppData\Local\Temp\CDE 0915.exe"

C:\Users\Admin\AppData\Local\Temp\myyzql.exe

"C:\Users\Admin\AppData\Local\Temp\myyzql.exe"

C:\Users\Admin\AppData\Local\Temp\myyzql.exe

"C:\Users\Admin\AppData\Local\Temp\myyzql.exe"

C:\Windows\SysWOW64\cscript.exe

"C:\Windows\SysWOW64\cscript.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\myyzql.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 29.81.57.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 www.premiumistudysolution.com udp
CA 142.44.226.116:80 www.premiumistudysolution.com tcp
US 8.8.8.8:53 116.226.44.142.in-addr.arpa udp
US 8.8.8.8:53 www.nongsanvietco.com udp
VN 103.75.184.21:80 www.nongsanvietco.com tcp
US 8.8.8.8:53 21.184.75.103.in-addr.arpa udp
US 8.8.8.8:53 www.ywx5pn.com udp
US 8.8.8.8:53 www.highcaliberhusbands.com udp
US 8.8.8.8:53 www.xyhbg.com udp
US 154.64.84.212:80 www.xyhbg.com tcp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 212.84.64.154.in-addr.arpa udp
US 8.8.8.8:53 www.webpanel.cfd udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\myyzql.exe

MD5 e460b7d571b50e5950fdd69feebf2357
SHA1 04d5a524e57a760f0bcea873faab604a6364428d
SHA256 c42d7a0eb68618cb608daf7de1233989e9704edbf9f8b09a590ac07c378d9fed
SHA512 444f6a9bb022eee54090c67534de0873f9f0e28850b49aea7163760bff72e34c61d4c840e0bde66d799c3b9f8f92e87ed1dd3f326d4be621ff6f82a3ad522863

C:\Users\Admin\AppData\Local\Temp\myyzql.exe

MD5 e460b7d571b50e5950fdd69feebf2357
SHA1 04d5a524e57a760f0bcea873faab604a6364428d
SHA256 c42d7a0eb68618cb608daf7de1233989e9704edbf9f8b09a590ac07c378d9fed
SHA512 444f6a9bb022eee54090c67534de0873f9f0e28850b49aea7163760bff72e34c61d4c840e0bde66d799c3b9f8f92e87ed1dd3f326d4be621ff6f82a3ad522863

memory/2332-5-0x0000000001550000-0x0000000001552000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eazmqu.yfg

MD5 33b827d4ebc3080d1b326e7335dfdfbe
SHA1 28830e77aa2c9a4b512e20d18734bf03379c81ba
SHA256 e18d141bb79de85f32948f75025263084559780d116f5ddbca8767636b8058d9
SHA512 4a47d359cded2f7c634827d2f39522bd0e4e741579401455aed57cabbefc905bf51566c5216aa7879489f7f234ee8255c5f01e7fcf079a7e6fd4cf27c848fba3

memory/3388-7-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\myyzql.exe

MD5 e460b7d571b50e5950fdd69feebf2357
SHA1 04d5a524e57a760f0bcea873faab604a6364428d
SHA256 c42d7a0eb68618cb608daf7de1233989e9704edbf9f8b09a590ac07c378d9fed
SHA512 444f6a9bb022eee54090c67534de0873f9f0e28850b49aea7163760bff72e34c61d4c840e0bde66d799c3b9f8f92e87ed1dd3f326d4be621ff6f82a3ad522863

memory/3388-10-0x00000000017F0000-0x0000000001B3A000-memory.dmp

memory/3388-12-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3388-13-0x00000000014C0000-0x00000000014D4000-memory.dmp

memory/2572-14-0x0000000008DB0000-0x0000000008E6A000-memory.dmp

memory/2092-15-0x0000000000830000-0x0000000000857000-memory.dmp

memory/2092-16-0x0000000000830000-0x0000000000857000-memory.dmp

memory/2092-17-0x0000000001170000-0x000000000119F000-memory.dmp

memory/2092-18-0x0000000003220000-0x000000000356A000-memory.dmp

memory/2572-19-0x0000000008DB0000-0x0000000008E6A000-memory.dmp

memory/2092-21-0x0000000001170000-0x000000000119F000-memory.dmp

memory/2092-22-0x0000000001170000-0x000000000119F000-memory.dmp

memory/2092-23-0x0000000003050000-0x00000000030E3000-memory.dmp

memory/2572-24-0x00000000093B0000-0x0000000009517000-memory.dmp

memory/2572-25-0x00000000093B0000-0x0000000009517000-memory.dmp

memory/2572-27-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-29-0x0000000001330000-0x0000000001340000-memory.dmp

memory/2572-28-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-30-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-31-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-32-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-33-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-34-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-36-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-38-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-39-0x00000000093B0000-0x0000000009517000-memory.dmp

memory/2572-40-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-41-0x0000000001440000-0x0000000001450000-memory.dmp

memory/2572-42-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-43-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-44-0x0000000001440000-0x0000000001450000-memory.dmp

memory/2572-46-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-45-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-47-0x0000000001330000-0x0000000001340000-memory.dmp

memory/2572-49-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-51-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-53-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-54-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-56-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-55-0x0000000007B90000-0x0000000007BA0000-memory.dmp

memory/2572-58-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-57-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-59-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-61-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-63-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-62-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-60-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-70-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-71-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-72-0x0000000001440000-0x0000000001450000-memory.dmp

memory/2572-73-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-74-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-75-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-76-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-77-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-81-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-79-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-82-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-83-0x0000000003170000-0x0000000003180000-memory.dmp

memory/2572-84-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-85-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-86-0x00000000012F0000-0x0000000001300000-memory.dmp

memory/2572-87-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-89-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-88-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-93-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-91-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-95-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-96-0x00000000012F0000-0x0000000001300000-memory.dmp

memory/2572-97-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-98-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-100-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-102-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-101-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-105-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-104-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-112-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-113-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-114-0x00000000032E0000-0x00000000032F0000-memory.dmp

memory/2572-115-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-116-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-117-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-118-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-121-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-119-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-123-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-124-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-125-0x00000000032E0000-0x00000000032F0000-memory.dmp

memory/2572-126-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-127-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-129-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-131-0x0000000001320000-0x0000000001330000-memory.dmp

memory/2572-128-0x00000000032E0000-0x00000000032F0000-memory.dmp

memory/2572-133-0x0000000001320000-0x0000000001330000-memory.dmp