Malware Analysis Report

2025-04-14 08:32

Sample ID 240920-x7rxxsteqc
Target COMMERCAILINVOICEANDDHLAWBTRACKINGDETAILS.PDF.zip
SHA256 b64d445b57b68f8150535a837f45c57ae912f6276cb35422bf82a2822ffc3c70
Tags
formbook jd21 discovery rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b64d445b57b68f8150535a837f45c57ae912f6276cb35422bf82a2822ffc3c70

Threat Level: Known bad

The file COMMERCAILINVOICEANDDHLAWBTRACKINGDETAILS.PDF.zip was found to be: Known bad.

Malicious Activity Summary

formbook jd21 discovery rat spyware stealer trojan

Formbook

Formbook payload

Loads dropped DLL

Drops startup file

Executes dropped EXE

AutoIT Executable

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-20 19:30

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-20 19:30

Reported

2024-09-20 19:32

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

142s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs C:\Users\Admin\AppData\Local\directory\name.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1768 set thread context of 4968 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\SysWOW64\svchost.exe
PID 4968 set thread context of 3432 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 4968 set thread context of 3432 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 4240 set thread context of 3432 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\Explorer.EXE

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\directory\name.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wscript.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1944 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1944 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1944 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1768 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\SysWOW64\svchost.exe
PID 1768 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\SysWOW64\svchost.exe
PID 1768 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\SysWOW64\svchost.exe
PID 1768 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\SysWOW64\svchost.exe
PID 3432 wrote to memory of 4240 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wscript.exe
PID 3432 wrote to memory of 4240 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wscript.exe
PID 3432 wrote to memory of 4240 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wscript.exe
PID 4240 wrote to memory of 3720 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 4240 wrote to memory of 3720 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 4240 wrote to memory of 3720 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

"C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\SysWOW64\wscript.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\SysWOW64\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 www.forklift-jobs-29768.bond udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 www.alqahtani.site udp
US 15.197.148.33:80 www.alqahtani.site tcp
US 8.8.8.8:53 33.148.197.15.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 www.cyber-eu.digital udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.nextdoor3.store udp
US 8.8.8.8:53 www.r86gd377hi.rent udp
US 8.8.8.8:53 www.weight-loss-003.today udp
US 172.67.155.61:80 www.weight-loss-003.today tcp
US 8.8.8.8:53 61.155.67.172.in-addr.arpa udp

Files

memory/1944-11-0x0000000003D20000-0x0000000003D24000-memory.dmp

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 6bbfded2baa5a18cc97d10516ee91c78
SHA1 9e39944c9d057d134b119c677be07975704e546e
SHA256 636597dd8c59135be43119197ee60db2268abaa5d8a60f4c0ac296acd9dc444f
SHA512 4d952c2ed6a876bd639b2a9e4baa5eeadbf01f314bcd1a2c80da564c4594330a5b26dc351c528b5c0d574e7013b387349ce77a274257b0df902a48e707545605

C:\Users\Admin\AppData\Local\Temp\Okeghem

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\molecast

MD5 ee4cf49f57dbe9b317975148fc646c5a
SHA1 d108703eb6fcd1cce8ec0d2ef6cd0a8724de207d
SHA256 b9d18f83221f16f2f21ff6596e108562172c0e51ee1e78fae29fd4d512f9dc54
SHA512 5178a4e46d5d964f6ae9352749dcb29402ac6f75f85b117d4179fb04af1fd4faf8c2f588d1cb62d107e67fa9a3c4212c5c60bd9ada662f7989eec9acdf6732da

memory/4968-30-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4968-31-0x0000000001500000-0x000000000184A000-memory.dmp

memory/3432-35-0x0000000002CE0000-0x0000000002DFE000-memory.dmp

memory/4968-34-0x0000000001460000-0x0000000001475000-memory.dmp

memory/4968-33-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3432-39-0x00000000083F0000-0x000000000854A000-memory.dmp

memory/4968-38-0x00000000014D0000-0x00000000014E5000-memory.dmp

memory/4968-37-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3432-40-0x0000000002CE0000-0x0000000002DFE000-memory.dmp

memory/4240-42-0x00000000003C0000-0x00000000003E7000-memory.dmp

memory/4240-41-0x00000000003C0000-0x00000000003E7000-memory.dmp

memory/4240-43-0x0000000000800000-0x000000000082F000-memory.dmp

memory/3432-44-0x00000000083F0000-0x000000000854A000-memory.dmp

memory/3432-47-0x0000000002EF0000-0x0000000002F8F000-memory.dmp

memory/3432-48-0x0000000002EF0000-0x0000000002F8F000-memory.dmp

memory/3432-50-0x0000000002EF0000-0x0000000002F8F000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-20 19:30

Reported

2024-09-20 19:32

Platform

win7-20240903-en

Max time kernel

146s

Max time network

145s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs C:\Users\Admin\AppData\Local\directory\name.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2328 set thread context of 2168 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\SysWOW64\svchost.exe
PID 2168 set thread context of 1208 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 2236 set thread context of 1208 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\Explorer.EXE

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\directory\name.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\directory\name.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2368 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2368 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2368 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2328 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\SysWOW64\svchost.exe
PID 2328 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\SysWOW64\svchost.exe
PID 2328 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\SysWOW64\svchost.exe
PID 2328 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\SysWOW64\svchost.exe
PID 2328 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\SysWOW64\svchost.exe
PID 2328 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\SysWOW64\WerFault.exe
PID 2328 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\SysWOW64\WerFault.exe
PID 2328 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\SysWOW64\WerFault.exe
PID 2328 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\SysWOW64\WerFault.exe
PID 1208 wrote to memory of 2236 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1208 wrote to memory of 2236 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1208 wrote to memory of 2236 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1208 wrote to memory of 2236 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 2236 wrote to memory of 2992 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 2992 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 2992 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 2992 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

"C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 316

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\SysWOW64\explorer.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\SysWOW64\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.pools-99305.bond udp
DE 185.53.179.93:80 www.pools-99305.bond tcp
US 8.8.8.8:53 www.bobbyharvey.store udp
CA 23.227.38.74:80 www.bobbyharvey.store tcp
US 8.8.8.8:53 www.slab-leak-repair-74697.bond udp
US 8.8.8.8:53 www.thetrue.one udp
US 8.8.8.8:53 www.scw-iot.net udp
US 8.8.8.8:53 www.mvtb.pics udp
US 172.67.185.75:80 www.mvtb.pics tcp

Files

memory/2368-11-0x00000000005F0000-0x00000000005F4000-memory.dmp

\Users\Admin\AppData\Local\directory\name.exe

MD5 6bbfded2baa5a18cc97d10516ee91c78
SHA1 9e39944c9d057d134b119c677be07975704e546e
SHA256 636597dd8c59135be43119197ee60db2268abaa5d8a60f4c0ac296acd9dc444f
SHA512 4d952c2ed6a876bd639b2a9e4baa5eeadbf01f314bcd1a2c80da564c4594330a5b26dc351c528b5c0d574e7013b387349ce77a274257b0df902a48e707545605

C:\Users\Admin\AppData\Local\Temp\Okeghem

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\molecast

MD5 ee4cf49f57dbe9b317975148fc646c5a
SHA1 d108703eb6fcd1cce8ec0d2ef6cd0a8724de207d
SHA256 b9d18f83221f16f2f21ff6596e108562172c0e51ee1e78fae29fd4d512f9dc54
SHA512 5178a4e46d5d964f6ae9352749dcb29402ac6f75f85b117d4179fb04af1fd4faf8c2f588d1cb62d107e67fa9a3c4212c5c60bd9ada662f7989eec9acdf6732da

memory/2168-32-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2168-41-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1208-40-0x0000000004D30000-0x0000000004DE6000-memory.dmp

memory/2168-39-0x0000000000180000-0x0000000000195000-memory.dmp

memory/2168-38-0x0000000000A60000-0x0000000000D63000-memory.dmp

memory/2236-44-0x00000000006F0000-0x0000000000971000-memory.dmp

memory/2236-43-0x00000000006F0000-0x0000000000971000-memory.dmp

memory/2236-45-0x0000000000080000-0x00000000000AF000-memory.dmp

memory/1208-46-0x0000000004D30000-0x0000000004DE6000-memory.dmp

memory/1208-50-0x0000000006690000-0x00000000067D0000-memory.dmp