Malware Analysis Report

2025-01-02 02:00

Sample ID 220701-lvgqmscdgk
Target Re Order 4500324718-CIMELECT.jar
SHA256 ead8106d04189a9765d0e125d5d504e30c2c1bc3223a8d9d3ee897af82846b96
Tags
asyncrat default rat adwind trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ead8106d04189a9765d0e125d5d504e30c2c1bc3223a8d9d3ee897af82846b96

Threat Level: Known bad

The file Re Order 4500324718-CIMELECT.jar was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat adwind trojan

AdWind

AsyncRat

Async RAT payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Drops file in System32 directory

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-01 09:51

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-01 09:51

Reported

2022-07-01 09:54

Platform

win10v2004-20220414-en

Max time kernel

68s

Max time network

55s

Command Line

java -jar "C:\Users\Admin\AppData\Local\Temp\Re Order 4500324718-CIMELECT.jar"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\AsyncClient.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Windows\SYSTEM32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings C:\Windows\SYSTEM32\wscript.exe N/A

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar "C:\Users\Admin\AppData\Local\Temp\Re Order 4500324718-CIMELECT.jar"

C:\Windows\SYSTEM32\wscript.exe

wscript C:\Users\Admin\slrtghxwgp.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\xRKCVudFNp.js"

C:\Users\Admin\AppData\Roaming\AsyncClient.exe

"C:\Users\Admin\AppData\Roaming\AsyncClient.exe"

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\dnleucksc.txt"

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.290859765782728656590665891713163959.class

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 13.89.178.26:443 tcp
US 8.253.208.112:80 tcp
US 8.253.208.112:80 tcp
US 8.253.208.112:80 tcp

Files

memory/432-132-0x0000000002D40000-0x0000000003D40000-memory.dmp

memory/724-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\slrtghxwgp.js

MD5 a0feff107f173acc9b411620b16cfddf
SHA1 b7b5985ad225aef80e1e0e08297330f2257f7f59
SHA256 100de96a9a0778b9d66d919de429cecb7ee54c4e3ddce9911d40a0ded003d185
SHA512 99d7ca04f65e2cadd0678166a5b1c07e476873bd43c90290982731e3657bd43a4ddcfb57a1317381529eb50dd1dadd7e87273006f4179e43b4a3251184ed7000

memory/2372-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\xRKCVudFNp.js

MD5 63649fb5e85e7f8c93a1ad99a27b7b22
SHA1 ae8e7a2215151a271d983e52ba8a56a77ae6baed
SHA256 e5d86ad0a6d4aaf17667fc846727326d86608c9cbee572b6aef70c92b028d86d
SHA512 7bd802d530f5b752a8b9ec2e0e45ade04b70d0edf29b007852682e25cc3a63531fde3d2c57e03d5fb8478caeff823b028d9bd83ef693876d5f803868428d5f3a

memory/4612-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\dnleucksc.txt

MD5 e6e49d6575a99dc7eaf81091e02190b6
SHA1 d7abf421d1a9d080d89b2922003a0d869d64ac2c
SHA256 3df792e3ab0c1efd66231647b0369e5805d359403d5b534a2562a7ba301b0757
SHA512 98743a430ab0490aed350a800d057dbaf7b29d2ce9833ca7cefc3e52a18dc5918c315918f64b193ca6d42f0250f7d93f001606689852de3f56182de42e0a7d3f

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 b067d3b4b88e590af0a571228c92e368
SHA1 85a1bec97f1f0daf07c1df6d6a1ea3831d762e17
SHA256 dfcb365a98000b9930a48e85ef88c84260f08da26e871a62130219413bb89295
SHA512 2c0e10ecb587fba9190e3797394488ecfd59dac232fe53bb8029d778253afff5f52c97c9344e9769f897f5165e471dab775e5c6d703becb73824d2a9da1ddfbf

memory/1940-157-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\AsyncClient.exe

MD5 cbdce3b5e2939fe92312004dcb31151f
SHA1 6f11f275c611decd4659f23a4593103f327806a6
SHA256 6ccc49875c2d837f462c4c3bd81f80b3be93f8435e8a22e042b5db025a31a6e3
SHA512 6240f21957016db0607987c81b110e78640d20eeba2dc0274cf6e6741cfd7924ca3b42325405e620f423157c34f355f188dbf60de96421e87f0d53e271fcc2c8

memory/4612-159-0x0000000002540000-0x0000000003540000-memory.dmp

memory/1904-160-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\_0.290859765782728656590665891713163959.class

MD5 781fb531354d6f291f1ccab48da6d39f
SHA1 9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA256 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA512 3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 20dee59a456915e21a0ceebb51b885ff
SHA1 2cb483863aed450218eb9e4d3877dfcc30879afb
SHA256 45808bf832e871d2d60a53925576ad4997d148f9c6f46f87322d9f3c8094d9df
SHA512 0770c20a4d1c8df4aacaa784834607fd239df4c8f2f23c2b0c9457c737e1cc2197f38d78d4264ab485d38bcd6f68fd840effd6a213c174a65102242cae329061

memory/1904-171-0x0000000002DC0000-0x0000000003DC0000-memory.dmp

C:\Users\Admin\AppData\Roaming\AsyncClient.exe

MD5 cbdce3b5e2939fe92312004dcb31151f
SHA1 6f11f275c611decd4659f23a4593103f327806a6
SHA256 6ccc49875c2d837f462c4c3bd81f80b3be93f8435e8a22e042b5db025a31a6e3
SHA512 6240f21957016db0607987c81b110e78640d20eeba2dc0274cf6e6741cfd7924ca3b42325405e620f423157c34f355f188dbf60de96421e87f0d53e271fcc2c8

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1081944012-3634099177-1681222835-1000\83aa4cc77f591dfc2374580bbd95f6ba_20e30e2f-4677-4eb9-89e6-7dd1fd044635

MD5 c8366ae350e7019aefc9d1e6e6a498c6
SHA1 5731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA256 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA512 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

memory/4612-179-0x0000000002540000-0x0000000003540000-memory.dmp

memory/4612-180-0x0000000002540000-0x0000000003540000-memory.dmp

memory/1904-181-0x0000000002DC0000-0x0000000003DC0000-memory.dmp

memory/4612-182-0x0000000002540000-0x0000000003540000-memory.dmp

memory/1940-187-0x00000000005B0000-0x00000000005C2000-memory.dmp

memory/1904-188-0x0000000002DC0000-0x0000000003DC0000-memory.dmp

memory/4612-190-0x0000000002540000-0x0000000003540000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-01 09:51

Reported

2022-07-01 09:54

Platform

win7-20220414-en

Max time kernel

149s

Max time network

153s

Command Line

java -jar "C:\Users\Admin\AppData\Local\Temp\Re Order 4500324718-CIMELECT.jar"

Signatures

AdWind

trojan adwind

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\win.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\test.txt C:\Program Files\Java\jre7\bin\java.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\AsyncClient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\AsyncClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\win.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre7\bin\java.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1892 wrote to memory of 980 N/A C:\Windows\system32\java.exe C:\Windows\system32\wscript.exe
PID 1892 wrote to memory of 980 N/A C:\Windows\system32\java.exe C:\Windows\system32\wscript.exe
PID 1892 wrote to memory of 980 N/A C:\Windows\system32\java.exe C:\Windows\system32\wscript.exe
PID 980 wrote to memory of 1064 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 980 wrote to memory of 1064 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 980 wrote to memory of 1064 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1064 wrote to memory of 1800 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Roaming\AsyncClient.exe
PID 1064 wrote to memory of 1800 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Roaming\AsyncClient.exe
PID 1064 wrote to memory of 1800 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Roaming\AsyncClient.exe
PID 1064 wrote to memory of 1800 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Roaming\AsyncClient.exe
PID 980 wrote to memory of 1144 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 980 wrote to memory of 1144 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 980 wrote to memory of 1144 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1144 wrote to memory of 1632 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1144 wrote to memory of 1632 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1144 wrote to memory of 1632 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1144 wrote to memory of 884 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1144 wrote to memory of 884 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1144 wrote to memory of 884 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1632 wrote to memory of 1364 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1632 wrote to memory of 1364 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1632 wrote to memory of 1364 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1364 wrote to memory of 1812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1364 wrote to memory of 1812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1364 wrote to memory of 1812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 884 wrote to memory of 1924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 884 wrote to memory of 1924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 884 wrote to memory of 1924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1632 wrote to memory of 1984 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1632 wrote to memory of 1984 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1632 wrote to memory of 1984 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1144 wrote to memory of 1740 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1144 wrote to memory of 1740 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1144 wrote to memory of 1740 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1984 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1984 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1984 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1740 wrote to memory of 816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1740 wrote to memory of 816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1740 wrote to memory of 816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1632 wrote to memory of 940 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\xcopy.exe
PID 1632 wrote to memory of 940 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\xcopy.exe
PID 1632 wrote to memory of 940 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\xcopy.exe
PID 1144 wrote to memory of 1048 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\xcopy.exe
PID 1144 wrote to memory of 1048 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\xcopy.exe
PID 1144 wrote to memory of 1048 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\xcopy.exe
PID 1800 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Roaming\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Roaming\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Roaming\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Roaming\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Roaming\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1712 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1712 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1712 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1716 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1716 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1716 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1716 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1716 wrote to memory of 524 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\win.exe
PID 1716 wrote to memory of 524 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\win.exe

Processes

C:\Windows\system32\java.exe

java -jar "C:\Users\Admin\AppData\Local\Temp\Re Order 4500324718-CIMELECT.jar"

C:\Windows\system32\wscript.exe

wscript C:\Users\Admin\slrtghxwgp.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\xRKCVudFNp.js"

C:\Users\Admin\AppData\Roaming\AsyncClient.exe

"C:\Users\Admin\AppData\Roaming\AsyncClient.exe"

C:\Program Files\Java\jre7\bin\javaw.exe

"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\tdhincms.txt"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.8604269440917279187329329803816007.class

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1492363208547327145.vbs

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7833888932401697738.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7833888932401697738.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1492363208547327145.vbs

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7016542688526462473.vbs

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8841967850673337300.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8841967850673337300.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7016542688526462473.vbs

C:\Windows\system32\xcopy.exe

xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e

C:\Windows\system32\xcopy.exe

xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "win" /tr '"C:\Users\Admin\AppData\Roaming\win.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE438.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "win" /tr '"C:\Users\Admin\AppData\Roaming\win.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\win.exe

"C:\Users\Admin\AppData\Roaming\win.exe"

C:\Windows\system32\cmd.exe

cmd.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 franmhort.duia.ro udp
CH 91.192.100.8:8153 franmhort.duia.ro tcp
N/A 127.0.0.1:7777 tcp
CH 91.192.100.8:8153 franmhort.duia.ro tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
CH 91.192.100.8:8153 franmhort.duia.ro tcp
N/A 127.0.0.1:7777 tcp

Files

memory/1892-54-0x000007FEFBF31000-0x000007FEFBF33000-memory.dmp

memory/1892-57-0x0000000002290000-0x0000000005290000-memory.dmp

memory/980-65-0x0000000000000000-mapping.dmp

C:\Users\Admin\slrtghxwgp.js

MD5 a0feff107f173acc9b411620b16cfddf
SHA1 b7b5985ad225aef80e1e0e08297330f2257f7f59
SHA256 100de96a9a0778b9d66d919de429cecb7ee54c4e3ddce9911d40a0ded003d185
SHA512 99d7ca04f65e2cadd0678166a5b1c07e476873bd43c90290982731e3657bd43a4ddcfb57a1317381529eb50dd1dadd7e87273006f4179e43b4a3251184ed7000

memory/1064-69-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\xRKCVudFNp.js

MD5 63649fb5e85e7f8c93a1ad99a27b7b22
SHA1 ae8e7a2215151a271d983e52ba8a56a77ae6baed
SHA256 e5d86ad0a6d4aaf17667fc846727326d86608c9cbee572b6aef70c92b028d86d
SHA512 7bd802d530f5b752a8b9ec2e0e45ade04b70d0edf29b007852682e25cc3a63531fde3d2c57e03d5fb8478caeff823b028d9bd83ef693876d5f803868428d5f3a

memory/1800-72-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\AsyncClient.exe

MD5 cbdce3b5e2939fe92312004dcb31151f
SHA1 6f11f275c611decd4659f23a4593103f327806a6
SHA256 6ccc49875c2d837f462c4c3bd81f80b3be93f8435e8a22e042b5db025a31a6e3
SHA512 6240f21957016db0607987c81b110e78640d20eeba2dc0274cf6e6741cfd7924ca3b42325405e620f423157c34f355f188dbf60de96421e87f0d53e271fcc2c8

memory/1144-74-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\AsyncClient.exe

MD5 cbdce3b5e2939fe92312004dcb31151f
SHA1 6f11f275c611decd4659f23a4593103f327806a6
SHA256 6ccc49875c2d837f462c4c3bd81f80b3be93f8435e8a22e042b5db025a31a6e3
SHA512 6240f21957016db0607987c81b110e78640d20eeba2dc0274cf6e6741cfd7924ca3b42325405e620f423157c34f355f188dbf60de96421e87f0d53e271fcc2c8

C:\Users\Admin\AppData\Roaming\tdhincms.txt

MD5 e6e49d6575a99dc7eaf81091e02190b6
SHA1 d7abf421d1a9d080d89b2922003a0d869d64ac2c
SHA256 3df792e3ab0c1efd66231647b0369e5805d359403d5b534a2562a7ba301b0757
SHA512 98743a430ab0490aed350a800d057dbaf7b29d2ce9833ca7cefc3e52a18dc5918c315918f64b193ca6d42f0250f7d93f001606689852de3f56182de42e0a7d3f

memory/1144-87-0x00000000020E0000-0x00000000050E0000-memory.dmp

memory/1632-88-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\_0.8604269440917279187329329803816007.class

MD5 781fb531354d6f291f1ccab48da6d39f
SHA1 9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA256 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA512 3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

memory/1800-91-0x0000000001080000-0x0000000001092000-memory.dmp

memory/1632-101-0x00000000021D0000-0x00000000051D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-790309383-526510583-3802439154-1000\83aa4cc77f591dfc2374580bbd95f6ba_5a8ed3ac-cae1-4e8b-9fd6-2d374700adef

MD5 c8366ae350e7019aefc9d1e6e6a498c6
SHA1 5731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA256 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA512 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

memory/1144-103-0x00000000020E0000-0x00000000050E0000-memory.dmp

memory/1800-104-0x00000000756A1000-0x00000000756A3000-memory.dmp

memory/1632-105-0x00000000021D0000-0x00000000051D0000-memory.dmp

memory/884-108-0x0000000000000000-mapping.dmp

memory/1364-109-0x0000000000000000-mapping.dmp

memory/1924-111-0x0000000000000000-mapping.dmp

memory/1812-110-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Retrive1492363208547327145.vbs

MD5 3bdfd33017806b85949b6faa7d4b98e4
SHA1 f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA256 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512 ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

C:\Users\Admin\AppData\Local\Temp\Retrive7833888932401697738.vbs

MD5 3bdfd33017806b85949b6faa7d4b98e4
SHA1 f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA256 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512 ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

memory/1984-114-0x0000000000000000-mapping.dmp

memory/1740-115-0x0000000000000000-mapping.dmp

memory/2040-116-0x0000000000000000-mapping.dmp

memory/816-117-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Retrive8841967850673337300.vbs

MD5 a32c109297ed1ca155598cd295c26611
SHA1 dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA256 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA512 70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

C:\Users\Admin\AppData\Local\Temp\Retrive7016542688526462473.vbs

MD5 a32c109297ed1ca155598cd295c26611
SHA1 dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA256 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA512 70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

memory/1048-121-0x0000000000000000-mapping.dmp

memory/940-120-0x0000000000000000-mapping.dmp

memory/1712-122-0x0000000000000000-mapping.dmp

memory/1716-123-0x0000000000000000-mapping.dmp

memory/1504-124-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE438.tmp.bat

MD5 cc8627b7f9f6d960318a1638b6d448b5
SHA1 a69e862da196123cfe5effa7c264ea8824bb2109
SHA256 034f019addcd640868293158ef144dd72c2bfbae5c0002b66cced275b649120f
SHA512 0a555685a83868b826097459b8e6c1bf7e95acbee33ec03737273943545ed7334d3f153b3823ab829f5e3b1506e301b111372313c5e308f008802d0f7e64aa32

memory/1592-126-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\win.exe

MD5 cbdce3b5e2939fe92312004dcb31151f
SHA1 6f11f275c611decd4659f23a4593103f327806a6
SHA256 6ccc49875c2d837f462c4c3bd81f80b3be93f8435e8a22e042b5db025a31a6e3
SHA512 6240f21957016db0607987c81b110e78640d20eeba2dc0274cf6e6741cfd7924ca3b42325405e620f423157c34f355f188dbf60de96421e87f0d53e271fcc2c8

C:\Users\Admin\AppData\Roaming\win.exe

MD5 cbdce3b5e2939fe92312004dcb31151f
SHA1 6f11f275c611decd4659f23a4593103f327806a6
SHA256 6ccc49875c2d837f462c4c3bd81f80b3be93f8435e8a22e042b5db025a31a6e3
SHA512 6240f21957016db0607987c81b110e78640d20eeba2dc0274cf6e6741cfd7924ca3b42325405e620f423157c34f355f188dbf60de96421e87f0d53e271fcc2c8

memory/524-129-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\win.exe

MD5 cbdce3b5e2939fe92312004dcb31151f
SHA1 6f11f275c611decd4659f23a4593103f327806a6
SHA256 6ccc49875c2d837f462c4c3bd81f80b3be93f8435e8a22e042b5db025a31a6e3
SHA512 6240f21957016db0607987c81b110e78640d20eeba2dc0274cf6e6741cfd7924ca3b42325405e620f423157c34f355f188dbf60de96421e87f0d53e271fcc2c8

memory/524-131-0x0000000000380000-0x0000000000392000-memory.dmp

memory/1336-133-0x0000000000000000-mapping.dmp