Analysis Overview
SHA256
6dde0bc3fc8d0b186be04fd2ca3b284aa7f922f28cd04830adc1e2e03d95e34b
Threat Level: Known bad
The file ION LABZ Statement.js was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
Formbook
Executes dropped EXE
Blocklisted process makes network request
Downloads MZ/PE file
Loads dropped DLL
Checks computer location settings
Drops startup file
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-09-22 10:31
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-22 10:31
Reported
2022-09-22 10:33
Platform
win7-20220812-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Formbook
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZrohjawOK.js | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZrohjawOK.js | C:\Windows\System32\WScript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yhttn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Fgnxz\\Yhttn.exe\"" | C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1624 set thread context of 1628 | N/A | C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe | C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Java\jre7\bin\javaw.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\ION LABZ Statement.js"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vZrohjawOK.js"
C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\kpakazlev.txt"
C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe
C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe
C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe
C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe
C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | jbd231.duckdns.org | udp |
| NL | 109.248.150.138:3269 | jbd231.duckdns.org | tcp |
| SE | 185.29.10.205:80 | 185.29.10.205 | tcp |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| CH | 91.192.100.8:5432 | javaautorun.duia.ro | tcp |
| SE | 185.29.10.205:80 | 185.29.10.205 | tcp |
| CH | 91.192.100.8:5432 | javaautorun.duia.ro | tcp |
| CH | 91.192.100.8:5432 | javaautorun.duia.ro | tcp |
| CH | 91.192.100.8:5432 | javaautorun.duia.ro | tcp |
| CH | 91.192.100.8:5432 | javaautorun.duia.ro | tcp |
| CH | 91.192.100.8:5432 | javaautorun.duia.ro | tcp |
| CH | 91.192.100.8:5432 | javaautorun.duia.ro | tcp |
| CH | 91.192.100.8:5432 | javaautorun.duia.ro | tcp |
| CH | 91.192.100.8:5432 | javaautorun.duia.ro | tcp |
| CH | 91.192.100.8:5432 | javaautorun.duia.ro | tcp |
| CH | 91.192.100.8:5432 | javaautorun.duia.ro | tcp |
| CH | 91.192.100.8:5432 | javaautorun.duia.ro | tcp |
| CH | 91.192.100.8:5432 | javaautorun.duia.ro | tcp |
| CH | 91.192.100.8:5432 | javaautorun.duia.ro | tcp |
| CH | 91.192.100.8:5432 | javaautorun.duia.ro | tcp |
Files
memory/2012-54-0x000007FEFBF21000-0x000007FEFBF23000-memory.dmp
memory/1340-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\vZrohjawOK.js
| MD5 | aeea41deb4363e0a23003555ffc0ada1 |
| SHA1 | c1fc845800ef733bfd2886bceba15ed4ec19bbdb |
| SHA256 | e4b86c3adb3c82dcbf9e87518210b8f23e813174e93fa8b90f3b0ee0f024da1e |
| SHA512 | bcbe6e10d4a6f5166adc864274b534be36b5b238abe7d83c2d26c60cc25a7ff9b2d887c10c132c439108dbdae793d0ad061890a431f1e2b7df659dd67f5cd823 |
memory/1200-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\kpakazlev.txt
| MD5 | 1d6cb5a374117999329351e6f28268e3 |
| SHA1 | a08e5a413f3febe7def2dff25717cbfe16b315b5 |
| SHA256 | cbf7cbc7305bed6abb433ff9b8277c63a2d79dc845d2995adf8cc1c6dd5463dd |
| SHA512 | 0ce83690f1806a002bd68e6fd1caad2852146e8c03d78aefd5309868e184954793ed0546978dcc86d226c4a5a33437f6feb350cc7ef1a57615dbe80e22042c51 |
memory/1200-70-0x0000000002150000-0x0000000005150000-memory.dmp
memory/1200-74-0x0000000000180000-0x000000000018A000-memory.dmp
memory/1624-75-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe
| MD5 | ca997af70e0e7ba134bd85015d945684 |
| SHA1 | 0d2972cf028063d8086fc6207537d8d1796993b7 |
| SHA256 | 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec |
| SHA512 | 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9 |
C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe
| MD5 | ca997af70e0e7ba134bd85015d945684 |
| SHA1 | 0d2972cf028063d8086fc6207537d8d1796993b7 |
| SHA256 | 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec |
| SHA512 | 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9 |
memory/1624-78-0x0000000000C30000-0x0000000000C38000-memory.dmp
memory/1624-79-0x0000000075BA1000-0x0000000075BA3000-memory.dmp
memory/1624-80-0x0000000004F40000-0x0000000005014000-memory.dmp
memory/1624-81-0x0000000005010000-0x00000000050A2000-memory.dmp
memory/1804-82-0x0000000000000000-mapping.dmp
memory/1804-84-0x000000006EC60000-0x000000006F20B000-memory.dmp
memory/1200-85-0x0000000002150000-0x0000000005150000-memory.dmp
memory/1200-86-0x0000000000180000-0x000000000018A000-memory.dmp
memory/1804-87-0x000000006EC60000-0x000000006F20B000-memory.dmp
memory/1804-88-0x000000006EC60000-0x000000006F20B000-memory.dmp
\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe
| MD5 | ca997af70e0e7ba134bd85015d945684 |
| SHA1 | 0d2972cf028063d8086fc6207537d8d1796993b7 |
| SHA256 | 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec |
| SHA512 | 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9 |
C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe
| MD5 | ca997af70e0e7ba134bd85015d945684 |
| SHA1 | 0d2972cf028063d8086fc6207537d8d1796993b7 |
| SHA256 | 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec |
| SHA512 | 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9 |
\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe
| MD5 | ca997af70e0e7ba134bd85015d945684 |
| SHA1 | 0d2972cf028063d8086fc6207537d8d1796993b7 |
| SHA256 | 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec |
| SHA512 | 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9 |
memory/1628-92-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1628-93-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1628-95-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1628-96-0x00000000004012B0-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe
| MD5 | ca997af70e0e7ba134bd85015d945684 |
| SHA1 | 0d2972cf028063d8086fc6207537d8d1796993b7 |
| SHA256 | 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec |
| SHA512 | 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9 |
memory/1628-99-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1628-100-0x0000000000401000-0x000000000042F000-memory.dmp
memory/1628-101-0x0000000000C40000-0x0000000000F43000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-09-22 10:31
Reported
2022-09-22 10:33
Platform
win10v2004-20220812-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Formbook
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZrohjawOK.js | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZrohjawOK.js | C:\Windows\System32\WScript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yhttn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Fgnxz\\Yhttn.exe\"" | C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3732 set thread context of 4316 | N/A | C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe | C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings | C:\Windows\system32\wscript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\ION LABZ Statement.js"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vZrohjawOK.js"
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ursgowhxgc.txt"
C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe
C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe
C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| CH | 91.192.100.8:5432 | javaautorun.duia.ro | tcp |
| US | 93.184.220.29:80 | tcp | |
| CH | 91.192.100.8:5432 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | jbd231.duckdns.org | udp |
| NL | 109.248.150.138:3269 | jbd231.duckdns.org | tcp |
| SE | 185.29.10.205:80 | 185.29.10.205 | tcp |
| IE | 13.69.239.74:443 | tcp | |
| SE | 185.29.10.205:80 | 185.29.10.205 | tcp |
| CH | 91.192.100.8:5432 | javaautorun.duia.ro | tcp |
| CH | 91.192.100.8:5432 | javaautorun.duia.ro | tcp |
| CH | 91.192.100.8:5432 | javaautorun.duia.ro | tcp |
| CH | 91.192.100.8:5432 | javaautorun.duia.ro | tcp |
| US | 8.252.118.126:80 | tcp | |
| US | 8.252.118.126:80 | tcp | |
| US | 8.252.118.126:80 | tcp | |
| CH | 91.192.100.8:5432 | javaautorun.duia.ro | tcp |
| US | 93.184.221.240:80 | tcp | |
| CH | 91.192.100.8:5432 | javaautorun.duia.ro | tcp |
| CH | 91.192.100.8:5432 | javaautorun.duia.ro | tcp |
| CH | 91.192.100.8:5432 | javaautorun.duia.ro | tcp |
| NL | 104.80.225.205:443 | tcp | |
| CH | 91.192.100.8:5432 | javaautorun.duia.ro | tcp |
| CH | 91.192.100.8:5432 | javaautorun.duia.ro | tcp |
| CH | 91.192.100.8:5432 | javaautorun.duia.ro | tcp |
| CH | 91.192.100.8:5432 | javaautorun.duia.ro | tcp |
| CH | 91.192.100.8:5432 | javaautorun.duia.ro | tcp |
| CH | 91.192.100.8:5432 | javaautorun.duia.ro | tcp |
Files
memory/4408-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\vZrohjawOK.js
| MD5 | aeea41deb4363e0a23003555ffc0ada1 |
| SHA1 | c1fc845800ef733bfd2886bceba15ed4ec19bbdb |
| SHA256 | e4b86c3adb3c82dcbf9e87518210b8f23e813174e93fa8b90f3b0ee0f024da1e |
| SHA512 | bcbe6e10d4a6f5166adc864274b534be36b5b238abe7d83c2d26c60cc25a7ff9b2d887c10c132c439108dbdae793d0ad061890a431f1e2b7df659dd67f5cd823 |
memory/4288-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ursgowhxgc.txt
| MD5 | 1d6cb5a374117999329351e6f28268e3 |
| SHA1 | a08e5a413f3febe7def2dff25717cbfe16b315b5 |
| SHA256 | cbf7cbc7305bed6abb433ff9b8277c63a2d79dc845d2995adf8cc1c6dd5463dd |
| SHA512 | 0ce83690f1806a002bd68e6fd1caad2852146e8c03d78aefd5309868e184954793ed0546978dcc86d226c4a5a33437f6feb350cc7ef1a57615dbe80e22042c51 |
memory/4288-138-0x0000000002970000-0x0000000003970000-memory.dmp
memory/3732-148-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe
| MD5 | ca997af70e0e7ba134bd85015d945684 |
| SHA1 | 0d2972cf028063d8086fc6207537d8d1796993b7 |
| SHA256 | 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec |
| SHA512 | 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9 |
memory/4288-150-0x0000000002970000-0x0000000003970000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe
| MD5 | ca997af70e0e7ba134bd85015d945684 |
| SHA1 | 0d2972cf028063d8086fc6207537d8d1796993b7 |
| SHA256 | 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec |
| SHA512 | 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9 |
memory/4288-152-0x0000000002970000-0x0000000003970000-memory.dmp
memory/3732-153-0x0000000000D60000-0x0000000000D68000-memory.dmp
memory/3732-154-0x000000000A010000-0x000000000A032000-memory.dmp
memory/4288-155-0x0000000002970000-0x0000000003970000-memory.dmp
memory/4272-156-0x0000000000000000-mapping.dmp
memory/4272-157-0x00000000023C0000-0x00000000023F6000-memory.dmp
memory/4272-158-0x0000000004F10000-0x0000000005538000-memory.dmp
memory/4272-159-0x0000000004D90000-0x0000000004DF6000-memory.dmp
memory/4272-160-0x0000000005540000-0x00000000055A6000-memory.dmp
memory/4272-161-0x0000000005CD0000-0x0000000005CEE000-memory.dmp
memory/4272-162-0x0000000007340000-0x00000000079BA000-memory.dmp
memory/4272-163-0x00000000061C0000-0x00000000061DA000-memory.dmp
memory/4288-165-0x0000000002970000-0x0000000003970000-memory.dmp
memory/4288-166-0x0000000002970000-0x0000000003970000-memory.dmp
memory/4316-167-0x0000000000000000-mapping.dmp
memory/4316-168-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe
| MD5 | ca997af70e0e7ba134bd85015d945684 |
| SHA1 | 0d2972cf028063d8086fc6207537d8d1796993b7 |
| SHA256 | 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec |
| SHA512 | 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9 |
memory/4316-172-0x0000000000401000-0x000000000042F000-memory.dmp
memory/4316-171-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4316-173-0x0000000001490000-0x00000000017DA000-memory.dmp