Malware Analysis Report

2025-05-28 15:55

Sample ID 220926-j8e3vsbbgp
Target Payments Pending July2022.js
SHA256 b9b4fc0d7e86072d0bccd0a50fbe65fb407f3f713dc6841fe708f5675e10f3fd
Tags
formbook vjw0rm te2r persistence rat spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b9b4fc0d7e86072d0bccd0a50fbe65fb407f3f713dc6841fe708f5675e10f3fd

Threat Level: Known bad

The file Payments Pending July2022.js was found to be: Known bad.

Malicious Activity Summary

formbook vjw0rm te2r persistence rat spyware stealer trojan worm

Formbook

Vjw0rm

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Drops startup file

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-26 08:20

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-26 08:20

Reported

2022-09-26 08:22

Platform

win10v2004-20220812-en

Max time kernel

148s

Max time network

152s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Payments Pending July2022.js"

Signatures

Formbook

trojan spyware stealer formbook

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XFQJBzLSvS.js C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XFQJBzLSvS.js C:\Windows\System32\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Coifnvjxl = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mnwphrqjh\\Coifnvjxl.exe\"" C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4772 set thread context of 2304 N/A C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Windows\system32\wscript.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2672 wrote to memory of 2128 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2672 wrote to memory of 2128 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2672 wrote to memory of 4700 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
PID 2672 wrote to memory of 4700 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
PID 4700 wrote to memory of 4772 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe
PID 4700 wrote to memory of 4772 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe
PID 4700 wrote to memory of 4772 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe
PID 4772 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe
PID 4772 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe
PID 4772 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe
PID 4772 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe
PID 4772 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe
PID 4772 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Payments Pending July2022.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\XFQJBzLSvS.js"

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\dqvpmqlbj.txt"

C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe

C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==

C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe

C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
NG 41.217.38.90:5433 javaautorun.duia.ro tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 jbd231.duckdns.org udp
NL 109.248.150.138:3269 jbd231.duckdns.org tcp
NL 109.248.150.185:80 109.248.150.185 tcp
NL 109.248.150.185:80 109.248.150.185 tcp
US 93.184.221.240:80 tcp
NG 41.217.38.90:5433 javaautorun.duia.ro tcp
US 20.189.173.7:443 tcp
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp
NG 41.217.38.90:5433 javaautorun.duia.ro tcp
NG 41.217.38.90:5433 javaautorun.duia.ro tcp
NG 41.217.38.90:5433 javaautorun.duia.ro tcp
NG 41.217.38.90:5433 javaautorun.duia.ro tcp

Files

memory/2128-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\XFQJBzLSvS.js

MD5 1c3b0b42763f83a240f6b119d3b15c2f
SHA1 4d70ed8dba182021d7392822e9adfec9559d6a10
SHA256 477266506c73225a2e83e2bbe231b98d21a1bff91ca05f7f1c531d8e82f75cd7
SHA512 61073136d0082ed4341200ceb4ee6bbb6a0fe237626576ba298db17ca1fc8c2ab3fb58d0a84387fdaef2126fc98d2d424f4600093c378720892acaa182418779

memory/4700-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\dqvpmqlbj.txt

MD5 195f235d676a9e8c3195d5e5e99487e4
SHA1 829cde6ad78db81138dc93f31ca2e7c94b5d6f64
SHA256 f68ca9305c322ff38d1043d48311ad49f9ae1ad2d7d12c88bf84d1187078448c
SHA512 48e681a9d15ca3867db4805412ba3f5916d1c5cbe8f6325285055aa65f6573130028308913f7be68e8ca51a205d2702f522bf0b6fc8bc03aa7014ce677aa8270

memory/4700-140-0x0000000002750000-0x0000000003750000-memory.dmp

memory/4772-148-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe

MD5 7ef3ca7c2d9d16855398bc4a40ffbf18
SHA1 b3f197e1f447a582a527d209fa0e1b5a7fc7d5d8
SHA256 6ffada93e4930ec9519c825c43f876015e0b9065e19a4b6356a8f575d62b6e54
SHA512 8d4dc7503026819c92b19f2208e88ce63afc8cdf413adaa8c29c0a6c9d721a0d0424f86377c3ebfcd4023c8be730da74ea849b574b7c653f5150ac7592fcbfdf

C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe

MD5 7ef3ca7c2d9d16855398bc4a40ffbf18
SHA1 b3f197e1f447a582a527d209fa0e1b5a7fc7d5d8
SHA256 6ffada93e4930ec9519c825c43f876015e0b9065e19a4b6356a8f575d62b6e54
SHA512 8d4dc7503026819c92b19f2208e88ce63afc8cdf413adaa8c29c0a6c9d721a0d0424f86377c3ebfcd4023c8be730da74ea849b574b7c653f5150ac7592fcbfdf

memory/4772-151-0x00000000002B0000-0x00000000002B8000-memory.dmp

memory/4700-152-0x0000000002750000-0x0000000003750000-memory.dmp

memory/4700-153-0x0000000002750000-0x0000000003750000-memory.dmp

memory/4772-154-0x0000000009AC0000-0x0000000009AE2000-memory.dmp

memory/1176-155-0x0000000000000000-mapping.dmp

memory/1176-156-0x0000000002850000-0x0000000002886000-memory.dmp

memory/1176-157-0x0000000005430000-0x0000000005A58000-memory.dmp

memory/1176-158-0x0000000005360000-0x00000000053C6000-memory.dmp

memory/1176-159-0x0000000005B80000-0x0000000005BE6000-memory.dmp

memory/1176-160-0x0000000006190000-0x00000000061AE000-memory.dmp

memory/1176-161-0x00000000077D0000-0x0000000007E4A000-memory.dmp

memory/1176-162-0x0000000006680000-0x000000000669A000-memory.dmp

memory/4700-163-0x0000000002750000-0x0000000003750000-memory.dmp

memory/2304-164-0x0000000000000000-mapping.dmp

memory/2304-165-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dl-17096158396911694833019677680.exe

MD5 7ef3ca7c2d9d16855398bc4a40ffbf18
SHA1 b3f197e1f447a582a527d209fa0e1b5a7fc7d5d8
SHA256 6ffada93e4930ec9519c825c43f876015e0b9065e19a4b6356a8f575d62b6e54
SHA512 8d4dc7503026819c92b19f2208e88ce63afc8cdf413adaa8c29c0a6c9d721a0d0424f86377c3ebfcd4023c8be730da74ea849b574b7c653f5150ac7592fcbfdf

memory/2304-168-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2304-169-0x0000000000401000-0x000000000042F000-memory.dmp

memory/2304-170-0x00000000011F0000-0x000000000153A000-memory.dmp

memory/4700-172-0x0000000002750000-0x0000000003750000-memory.dmp

memory/4700-173-0x0000000002750000-0x0000000003750000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-26 08:20

Reported

2022-09-26 08:22

Platform

win7-20220901-en

Max time kernel

139s

Max time network

153s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Payments Pending July2022.js"

Signatures

Formbook

trojan spyware stealer formbook

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A

Downloads MZ/PE file

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XFQJBzLSvS.js C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XFQJBzLSvS.js C:\Windows\System32\WScript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Coifnvjxl = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mnwphrqjh\\Coifnvjxl.exe\"" C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1656 set thread context of 1480 N/A C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre7\bin\javaw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1340 wrote to memory of 960 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1340 wrote to memory of 960 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1340 wrote to memory of 960 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1340 wrote to memory of 600 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1340 wrote to memory of 600 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1340 wrote to memory of 600 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 600 wrote to memory of 1656 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe
PID 600 wrote to memory of 1656 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe
PID 600 wrote to memory of 1656 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe
PID 600 wrote to memory of 1656 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe
PID 1656 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1656 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1656 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1656 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1656 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe
PID 1656 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe
PID 1656 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe
PID 1656 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe
PID 1656 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe
PID 1656 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe
PID 1656 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Payments Pending July2022.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\XFQJBzLSvS.js"

C:\Program Files\Java\jre7\bin\javaw.exe

"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\mljrbnp.txt"

C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe

C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==

C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe

C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
NG 41.217.38.90:5433 javaautorun.duia.ro tcp
US 8.8.8.8:53 jbd231.duckdns.org udp
NL 109.248.150.138:3269 jbd231.duckdns.org tcp
NL 109.248.150.185:80 109.248.150.185 tcp
NL 109.248.150.185:80 109.248.150.185 tcp
NG 41.217.38.90:5433 javaautorun.duia.ro tcp
NG 41.217.38.90:5433 javaautorun.duia.ro tcp
NG 41.217.38.90:5433 javaautorun.duia.ro tcp
NG 41.217.38.90:5433 javaautorun.duia.ro tcp

Files

memory/1340-54-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

memory/960-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\XFQJBzLSvS.js

MD5 1c3b0b42763f83a240f6b119d3b15c2f
SHA1 4d70ed8dba182021d7392822e9adfec9559d6a10
SHA256 477266506c73225a2e83e2bbe231b98d21a1bff91ca05f7f1c531d8e82f75cd7
SHA512 61073136d0082ed4341200ceb4ee6bbb6a0fe237626576ba298db17ca1fc8c2ab3fb58d0a84387fdaef2126fc98d2d424f4600093c378720892acaa182418779

memory/600-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\mljrbnp.txt

MD5 195f235d676a9e8c3195d5e5e99487e4
SHA1 829cde6ad78db81138dc93f31ca2e7c94b5d6f64
SHA256 f68ca9305c322ff38d1043d48311ad49f9ae1ad2d7d12c88bf84d1187078448c
SHA512 48e681a9d15ca3867db4805412ba3f5916d1c5cbe8f6325285055aa65f6573130028308913f7be68e8ca51a205d2702f522bf0b6fc8bc03aa7014ce677aa8270

memory/600-71-0x00000000020C0000-0x00000000050C0000-memory.dmp

memory/600-74-0x0000000001DB0000-0x0000000001DBA000-memory.dmp

memory/600-75-0x0000000001DB0000-0x0000000001DBA000-memory.dmp

memory/1656-76-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe

MD5 7ef3ca7c2d9d16855398bc4a40ffbf18
SHA1 b3f197e1f447a582a527d209fa0e1b5a7fc7d5d8
SHA256 6ffada93e4930ec9519c825c43f876015e0b9065e19a4b6356a8f575d62b6e54
SHA512 8d4dc7503026819c92b19f2208e88ce63afc8cdf413adaa8c29c0a6c9d721a0d0424f86377c3ebfcd4023c8be730da74ea849b574b7c653f5150ac7592fcbfdf

C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe

MD5 7ef3ca7c2d9d16855398bc4a40ffbf18
SHA1 b3f197e1f447a582a527d209fa0e1b5a7fc7d5d8
SHA256 6ffada93e4930ec9519c825c43f876015e0b9065e19a4b6356a8f575d62b6e54
SHA512 8d4dc7503026819c92b19f2208e88ce63afc8cdf413adaa8c29c0a6c9d721a0d0424f86377c3ebfcd4023c8be730da74ea849b574b7c653f5150ac7592fcbfdf

memory/1656-79-0x0000000000EF0000-0x0000000000EF8000-memory.dmp

memory/1656-80-0x00000000758B1000-0x00000000758B3000-memory.dmp

memory/1656-81-0x0000000005110000-0x00000000051DC000-memory.dmp

memory/1656-82-0x0000000005440000-0x00000000054D2000-memory.dmp

memory/1528-83-0x0000000000000000-mapping.dmp

memory/1528-85-0x000000006E750000-0x000000006ECFB000-memory.dmp

memory/600-86-0x00000000020C0000-0x00000000050C0000-memory.dmp

memory/600-88-0x0000000001DB0000-0x0000000001DBA000-memory.dmp

memory/600-87-0x0000000001DB0000-0x0000000001DBA000-memory.dmp

memory/1528-89-0x000000006E750000-0x000000006ECFB000-memory.dmp

memory/1528-90-0x000000006E750000-0x000000006ECFB000-memory.dmp

\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe

MD5 7ef3ca7c2d9d16855398bc4a40ffbf18
SHA1 b3f197e1f447a582a527d209fa0e1b5a7fc7d5d8
SHA256 6ffada93e4930ec9519c825c43f876015e0b9065e19a4b6356a8f575d62b6e54
SHA512 8d4dc7503026819c92b19f2208e88ce63afc8cdf413adaa8c29c0a6c9d721a0d0424f86377c3ebfcd4023c8be730da74ea849b574b7c653f5150ac7592fcbfdf

memory/1480-92-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1480-93-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1480-96-0x00000000004012B0-mapping.dmp

memory/1480-95-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dl-15151331247720787836844007150.exe

MD5 7ef3ca7c2d9d16855398bc4a40ffbf18
SHA1 b3f197e1f447a582a527d209fa0e1b5a7fc7d5d8
SHA256 6ffada93e4930ec9519c825c43f876015e0b9065e19a4b6356a8f575d62b6e54
SHA512 8d4dc7503026819c92b19f2208e88ce63afc8cdf413adaa8c29c0a6c9d721a0d0424f86377c3ebfcd4023c8be730da74ea849b574b7c653f5150ac7592fcbfdf

memory/1480-99-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1480-100-0x0000000000401000-0x000000000042F000-memory.dmp

memory/1480-101-0x0000000000770000-0x0000000000A73000-memory.dmp