Malware Analysis Report

2025-05-28 15:55

Sample ID 220922-v2df8sfggl
Target ION LABZ Statement.js
SHA256 6dde0bc3fc8d0b186be04fd2ca3b284aa7f922f28cd04830adc1e2e03d95e34b
Tags
formbook vjw0rm te2r persistence rat spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6dde0bc3fc8d0b186be04fd2ca3b284aa7f922f28cd04830adc1e2e03d95e34b

Threat Level: Known bad

The file ION LABZ Statement.js was found to be: Known bad.

Malicious Activity Summary

formbook vjw0rm te2r persistence rat spyware stealer trojan worm

Formbook

Vjw0rm

Executes dropped EXE

Blocklisted process makes network request

Downloads MZ/PE file

Checks computer location settings

Drops startup file

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-22 17:28

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-22 17:28

Reported

2022-09-22 17:31

Platform

win10v2004-20220812-en

Max time kernel

143s

Max time network

150s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\ION LABZ Statement.js"

Signatures

Formbook

trojan spyware stealer formbook

Vjw0rm

trojan worm vjw0rm

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZrohjawOK.js C:\Windows\System32\WScript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZrohjawOK.js C:\Windows\System32\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yhttn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Fgnxz\\Yhttn.exe\"" C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4944 set thread context of 4784 N/A C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Windows\system32\wscript.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4568 wrote to memory of 4364 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 4568 wrote to memory of 4364 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 4568 wrote to memory of 3824 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
PID 4568 wrote to memory of 3824 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
PID 3824 wrote to memory of 4944 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe
PID 3824 wrote to memory of 4944 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe
PID 3824 wrote to memory of 4944 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe
PID 4944 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4944 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4944 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4944 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe
PID 4944 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe
PID 4944 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe
PID 4944 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe
PID 4944 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe
PID 4944 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\ION LABZ Statement.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vZrohjawOK.js"

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\rbdaczbn.txt"

C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe

C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==

C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe

C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe

Network

Country Destination Domain Proto
US 8.238.20.254:80 tcp
US 8.8.8.8:53 javaautorun.duia.ro udp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
US 8.8.8.8:53 jbd231.duckdns.org udp
NL 109.248.150.138:3269 jbd231.duckdns.org tcp
SE 185.29.10.205:80 185.29.10.205 tcp
SE 185.29.10.205:80 185.29.10.205 tcp
US 8.238.20.126:80 tcp
US 8.238.20.126:80 tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
US 8.253.208.120:80 tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
US 8.253.208.120:80 tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp

Files

memory/4364-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\vZrohjawOK.js

MD5 aeea41deb4363e0a23003555ffc0ada1
SHA1 c1fc845800ef733bfd2886bceba15ed4ec19bbdb
SHA256 e4b86c3adb3c82dcbf9e87518210b8f23e813174e93fa8b90f3b0ee0f024da1e
SHA512 bcbe6e10d4a6f5166adc864274b534be36b5b238abe7d83c2d26c60cc25a7ff9b2d887c10c132c439108dbdae793d0ad061890a431f1e2b7df659dd67f5cd823

memory/3824-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\rbdaczbn.txt

MD5 1d6cb5a374117999329351e6f28268e3
SHA1 a08e5a413f3febe7def2dff25717cbfe16b315b5
SHA256 cbf7cbc7305bed6abb433ff9b8277c63a2d79dc845d2995adf8cc1c6dd5463dd
SHA512 0ce83690f1806a002bd68e6fd1caad2852146e8c03d78aefd5309868e184954793ed0546978dcc86d226c4a5a33437f6feb350cc7ef1a57615dbe80e22042c51

memory/3824-140-0x0000000003060000-0x0000000004060000-memory.dmp

memory/4944-147-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe

MD5 ca997af70e0e7ba134bd85015d945684
SHA1 0d2972cf028063d8086fc6207537d8d1796993b7
SHA256 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9

C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe

MD5 ca997af70e0e7ba134bd85015d945684
SHA1 0d2972cf028063d8086fc6207537d8d1796993b7
SHA256 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9

memory/4944-150-0x00000000007B0000-0x00000000007B8000-memory.dmp

memory/3824-151-0x0000000003060000-0x0000000004060000-memory.dmp

memory/4944-152-0x0000000009A70000-0x0000000009A92000-memory.dmp

memory/320-153-0x0000000000000000-mapping.dmp

memory/320-154-0x0000000002BA0000-0x0000000002BD6000-memory.dmp

memory/320-155-0x0000000005290000-0x00000000058B8000-memory.dmp

memory/320-156-0x00000000059C0000-0x0000000005A26000-memory.dmp

memory/320-157-0x0000000005B60000-0x0000000005BC6000-memory.dmp

memory/320-158-0x0000000006170000-0x000000000618E000-memory.dmp

memory/320-159-0x00000000079C0000-0x000000000803A000-memory.dmp

memory/320-160-0x0000000006660000-0x000000000667A000-memory.dmp

memory/3824-161-0x0000000003060000-0x0000000004060000-memory.dmp

memory/4784-162-0x0000000000000000-mapping.dmp

memory/4784-163-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dl-16503567014952209964929404604.exe

MD5 ca997af70e0e7ba134bd85015d945684
SHA1 0d2972cf028063d8086fc6207537d8d1796993b7
SHA256 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9

memory/4784-166-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4784-167-0x0000000000401000-0x000000000042F000-memory.dmp

memory/4784-168-0x0000000001740000-0x0000000001A8A000-memory.dmp

memory/3824-170-0x0000000003060000-0x0000000004060000-memory.dmp

memory/3824-171-0x0000000003060000-0x0000000004060000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-22 17:28

Reported

2022-09-22 17:31

Platform

win7-20220901-en

Max time kernel

148s

Max time network

153s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\ION LABZ Statement.js"

Signatures

Formbook

trojan spyware stealer formbook

Vjw0rm

trojan worm vjw0rm

Downloads MZ/PE file

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZrohjawOK.js C:\Windows\System32\WScript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZrohjawOK.js C:\Windows\System32\WScript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yhttn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Fgnxz\\Yhttn.exe\"" C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1172 set thread context of 1772 N/A C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre7\bin\javaw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1048 wrote to memory of 1784 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1048 wrote to memory of 1784 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1048 wrote to memory of 1784 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1048 wrote to memory of 296 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1048 wrote to memory of 296 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1048 wrote to memory of 296 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 296 wrote to memory of 1172 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe
PID 296 wrote to memory of 1172 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe
PID 296 wrote to memory of 1172 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe
PID 296 wrote to memory of 1172 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe
PID 1172 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1172 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1172 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1172 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1172 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe
PID 1172 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe
PID 1172 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe
PID 1172 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe
PID 1172 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe
PID 1172 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe
PID 1172 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\ION LABZ Statement.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vZrohjawOK.js"

C:\Program Files\Java\jre7\bin\javaw.exe

"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\zhmyatoo.txt"

C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe

C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==

C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe

C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
US 8.8.8.8:53 jbd231.duckdns.org udp
NL 109.248.150.138:3269 jbd231.duckdns.org tcp
SE 185.29.10.205:80 185.29.10.205 tcp
SE 185.29.10.205:80 185.29.10.205 tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp

Files

memory/1048-54-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

memory/1784-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\vZrohjawOK.js

MD5 aeea41deb4363e0a23003555ffc0ada1
SHA1 c1fc845800ef733bfd2886bceba15ed4ec19bbdb
SHA256 e4b86c3adb3c82dcbf9e87518210b8f23e813174e93fa8b90f3b0ee0f024da1e
SHA512 bcbe6e10d4a6f5166adc864274b534be36b5b238abe7d83c2d26c60cc25a7ff9b2d887c10c132c439108dbdae793d0ad061890a431f1e2b7df659dd67f5cd823

memory/296-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\zhmyatoo.txt

MD5 1d6cb5a374117999329351e6f28268e3
SHA1 a08e5a413f3febe7def2dff25717cbfe16b315b5
SHA256 cbf7cbc7305bed6abb433ff9b8277c63a2d79dc845d2995adf8cc1c6dd5463dd
SHA512 0ce83690f1806a002bd68e6fd1caad2852146e8c03d78aefd5309868e184954793ed0546978dcc86d226c4a5a33437f6feb350cc7ef1a57615dbe80e22042c51

memory/296-71-0x00000000020F0000-0x00000000050F0000-memory.dmp

memory/296-74-0x0000000000370000-0x000000000037A000-memory.dmp

memory/296-75-0x0000000000370000-0x000000000037A000-memory.dmp

memory/1172-76-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe

MD5 ca997af70e0e7ba134bd85015d945684
SHA1 0d2972cf028063d8086fc6207537d8d1796993b7
SHA256 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9

C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe

MD5 ca997af70e0e7ba134bd85015d945684
SHA1 0d2972cf028063d8086fc6207537d8d1796993b7
SHA256 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9

memory/1172-79-0x0000000000C70000-0x0000000000C78000-memory.dmp

memory/1172-80-0x00000000759F1000-0x00000000759F3000-memory.dmp

memory/1172-81-0x0000000005510000-0x00000000055E4000-memory.dmp

memory/1172-82-0x0000000004FF0000-0x0000000005082000-memory.dmp

memory/324-83-0x0000000000000000-mapping.dmp

memory/324-85-0x000000006EC20000-0x000000006F1CB000-memory.dmp

memory/296-86-0x00000000020F0000-0x00000000050F0000-memory.dmp

memory/296-88-0x0000000000370000-0x000000000037A000-memory.dmp

memory/296-87-0x0000000000370000-0x000000000037A000-memory.dmp

memory/324-89-0x000000006EC20000-0x000000006F1CB000-memory.dmp

memory/324-90-0x000000006EC20000-0x000000006F1CB000-memory.dmp

\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe

MD5 ca997af70e0e7ba134bd85015d945684
SHA1 0d2972cf028063d8086fc6207537d8d1796993b7
SHA256 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9

memory/1772-92-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1772-93-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1772-95-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1772-96-0x00000000004012B0-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dl3098272701282409170590969432.exe

MD5 ca997af70e0e7ba134bd85015d945684
SHA1 0d2972cf028063d8086fc6207537d8d1796993b7
SHA256 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9

memory/1772-99-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1772-100-0x0000000000401000-0x000000000042F000-memory.dmp

memory/1772-101-0x0000000000930000-0x0000000000C33000-memory.dmp