Malware Analysis Report

2025-05-28 15:55

Sample ID 220922-mkdfxaehfr
Target ION LABZ Statement.js
SHA256 6dde0bc3fc8d0b186be04fd2ca3b284aa7f922f28cd04830adc1e2e03d95e34b
Tags
formbook vjw0rm te2r persistence rat spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6dde0bc3fc8d0b186be04fd2ca3b284aa7f922f28cd04830adc1e2e03d95e34b

Threat Level: Known bad

The file ION LABZ Statement.js was found to be: Known bad.

Malicious Activity Summary

formbook vjw0rm te2r persistence rat spyware stealer trojan worm

Vjw0rm

Formbook

Executes dropped EXE

Blocklisted process makes network request

Downloads MZ/PE file

Loads dropped DLL

Checks computer location settings

Drops startup file

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-22 10:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-22 10:31

Reported

2022-09-22 10:33

Platform

win7-20220812-en

Max time kernel

150s

Max time network

152s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\ION LABZ Statement.js"

Signatures

Formbook

trojan spyware stealer formbook

Vjw0rm

trojan worm vjw0rm

Downloads MZ/PE file

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZrohjawOK.js C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZrohjawOK.js C:\Windows\System32\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yhttn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Fgnxz\\Yhttn.exe\"" C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1624 set thread context of 1628 N/A C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre7\bin\javaw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2012 wrote to memory of 1340 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2012 wrote to memory of 1340 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2012 wrote to memory of 1340 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2012 wrote to memory of 1200 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 2012 wrote to memory of 1200 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 2012 wrote to memory of 1200 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1200 wrote to memory of 1624 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe
PID 1200 wrote to memory of 1624 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe
PID 1200 wrote to memory of 1624 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe
PID 1200 wrote to memory of 1624 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe
PID 1624 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1624 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1624 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1624 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1624 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe
PID 1624 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe
PID 1624 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe
PID 1624 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe
PID 1624 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe
PID 1624 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe
PID 1624 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe
PID 1624 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe
PID 1624 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe
PID 1624 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe
PID 1624 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\ION LABZ Statement.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vZrohjawOK.js"

C:\Program Files\Java\jre7\bin\javaw.exe

"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\kpakazlev.txt"

C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe

C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==

C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe

C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe

C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe

C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 jbd231.duckdns.org udp
NL 109.248.150.138:3269 jbd231.duckdns.org tcp
SE 185.29.10.205:80 185.29.10.205 tcp
US 8.8.8.8:53 javaautorun.duia.ro udp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
SE 185.29.10.205:80 185.29.10.205 tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp

Files

memory/2012-54-0x000007FEFBF21000-0x000007FEFBF23000-memory.dmp

memory/1340-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\vZrohjawOK.js

MD5 aeea41deb4363e0a23003555ffc0ada1
SHA1 c1fc845800ef733bfd2886bceba15ed4ec19bbdb
SHA256 e4b86c3adb3c82dcbf9e87518210b8f23e813174e93fa8b90f3b0ee0f024da1e
SHA512 bcbe6e10d4a6f5166adc864274b534be36b5b238abe7d83c2d26c60cc25a7ff9b2d887c10c132c439108dbdae793d0ad061890a431f1e2b7df659dd67f5cd823

memory/1200-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\kpakazlev.txt

MD5 1d6cb5a374117999329351e6f28268e3
SHA1 a08e5a413f3febe7def2dff25717cbfe16b315b5
SHA256 cbf7cbc7305bed6abb433ff9b8277c63a2d79dc845d2995adf8cc1c6dd5463dd
SHA512 0ce83690f1806a002bd68e6fd1caad2852146e8c03d78aefd5309868e184954793ed0546978dcc86d226c4a5a33437f6feb350cc7ef1a57615dbe80e22042c51

memory/1200-70-0x0000000002150000-0x0000000005150000-memory.dmp

memory/1200-74-0x0000000000180000-0x000000000018A000-memory.dmp

memory/1624-75-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe

MD5 ca997af70e0e7ba134bd85015d945684
SHA1 0d2972cf028063d8086fc6207537d8d1796993b7
SHA256 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9

C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe

MD5 ca997af70e0e7ba134bd85015d945684
SHA1 0d2972cf028063d8086fc6207537d8d1796993b7
SHA256 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9

memory/1624-78-0x0000000000C30000-0x0000000000C38000-memory.dmp

memory/1624-79-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

memory/1624-80-0x0000000004F40000-0x0000000005014000-memory.dmp

memory/1624-81-0x0000000005010000-0x00000000050A2000-memory.dmp

memory/1804-82-0x0000000000000000-mapping.dmp

memory/1804-84-0x000000006EC60000-0x000000006F20B000-memory.dmp

memory/1200-85-0x0000000002150000-0x0000000005150000-memory.dmp

memory/1200-86-0x0000000000180000-0x000000000018A000-memory.dmp

memory/1804-87-0x000000006EC60000-0x000000006F20B000-memory.dmp

memory/1804-88-0x000000006EC60000-0x000000006F20B000-memory.dmp

\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe

MD5 ca997af70e0e7ba134bd85015d945684
SHA1 0d2972cf028063d8086fc6207537d8d1796993b7
SHA256 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9

C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe

MD5 ca997af70e0e7ba134bd85015d945684
SHA1 0d2972cf028063d8086fc6207537d8d1796993b7
SHA256 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9

\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe

MD5 ca997af70e0e7ba134bd85015d945684
SHA1 0d2972cf028063d8086fc6207537d8d1796993b7
SHA256 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9

memory/1628-92-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1628-93-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1628-95-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1628-96-0x00000000004012B0-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dl8146395848399798364075715024.exe

MD5 ca997af70e0e7ba134bd85015d945684
SHA1 0d2972cf028063d8086fc6207537d8d1796993b7
SHA256 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9

memory/1628-99-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1628-100-0x0000000000401000-0x000000000042F000-memory.dmp

memory/1628-101-0x0000000000C40000-0x0000000000F43000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-22 10:31

Reported

2022-09-22 10:33

Platform

win10v2004-20220812-en

Max time kernel

148s

Max time network

153s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\ION LABZ Statement.js"

Signatures

Formbook

trojan spyware stealer formbook

Vjw0rm

trojan worm vjw0rm

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZrohjawOK.js C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZrohjawOK.js C:\Windows\System32\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yhttn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Fgnxz\\Yhttn.exe\"" C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3732 set thread context of 4316 N/A C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings C:\Windows\system32\wscript.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4800 wrote to memory of 4408 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 4800 wrote to memory of 4408 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 4800 wrote to memory of 4288 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
PID 4800 wrote to memory of 4288 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
PID 4288 wrote to memory of 3732 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe
PID 4288 wrote to memory of 3732 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe
PID 4288 wrote to memory of 3732 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe
PID 3732 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3732 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3732 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3732 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe
PID 3732 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe
PID 3732 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe
PID 3732 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe
PID 3732 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe
PID 3732 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\ION LABZ Statement.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vZrohjawOK.js"

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ursgowhxgc.txt"

C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe

C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==

C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe

C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
US 93.184.220.29:80 tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
US 8.8.8.8:53 jbd231.duckdns.org udp
NL 109.248.150.138:3269 jbd231.duckdns.org tcp
SE 185.29.10.205:80 185.29.10.205 tcp
IE 13.69.239.74:443 tcp
SE 185.29.10.205:80 185.29.10.205 tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
US 8.252.118.126:80 tcp
US 8.252.118.126:80 tcp
US 8.252.118.126:80 tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
US 93.184.221.240:80 tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
NL 104.80.225.205:443 tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp
CH 91.192.100.8:5432 javaautorun.duia.ro tcp

Files

memory/4408-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\vZrohjawOK.js

MD5 aeea41deb4363e0a23003555ffc0ada1
SHA1 c1fc845800ef733bfd2886bceba15ed4ec19bbdb
SHA256 e4b86c3adb3c82dcbf9e87518210b8f23e813174e93fa8b90f3b0ee0f024da1e
SHA512 bcbe6e10d4a6f5166adc864274b534be36b5b238abe7d83c2d26c60cc25a7ff9b2d887c10c132c439108dbdae793d0ad061890a431f1e2b7df659dd67f5cd823

memory/4288-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\ursgowhxgc.txt

MD5 1d6cb5a374117999329351e6f28268e3
SHA1 a08e5a413f3febe7def2dff25717cbfe16b315b5
SHA256 cbf7cbc7305bed6abb433ff9b8277c63a2d79dc845d2995adf8cc1c6dd5463dd
SHA512 0ce83690f1806a002bd68e6fd1caad2852146e8c03d78aefd5309868e184954793ed0546978dcc86d226c4a5a33437f6feb350cc7ef1a57615dbe80e22042c51

memory/4288-138-0x0000000002970000-0x0000000003970000-memory.dmp

memory/3732-148-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe

MD5 ca997af70e0e7ba134bd85015d945684
SHA1 0d2972cf028063d8086fc6207537d8d1796993b7
SHA256 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9

memory/4288-150-0x0000000002970000-0x0000000003970000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe

MD5 ca997af70e0e7ba134bd85015d945684
SHA1 0d2972cf028063d8086fc6207537d8d1796993b7
SHA256 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9

memory/4288-152-0x0000000002970000-0x0000000003970000-memory.dmp

memory/3732-153-0x0000000000D60000-0x0000000000D68000-memory.dmp

memory/3732-154-0x000000000A010000-0x000000000A032000-memory.dmp

memory/4288-155-0x0000000002970000-0x0000000003970000-memory.dmp

memory/4272-156-0x0000000000000000-mapping.dmp

memory/4272-157-0x00000000023C0000-0x00000000023F6000-memory.dmp

memory/4272-158-0x0000000004F10000-0x0000000005538000-memory.dmp

memory/4272-159-0x0000000004D90000-0x0000000004DF6000-memory.dmp

memory/4272-160-0x0000000005540000-0x00000000055A6000-memory.dmp

memory/4272-161-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

memory/4272-162-0x0000000007340000-0x00000000079BA000-memory.dmp

memory/4272-163-0x00000000061C0000-0x00000000061DA000-memory.dmp

memory/4288-165-0x0000000002970000-0x0000000003970000-memory.dmp

memory/4288-166-0x0000000002970000-0x0000000003970000-memory.dmp

memory/4316-167-0x0000000000000000-mapping.dmp

memory/4316-168-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dl-20451412363164798541208127808.exe

MD5 ca997af70e0e7ba134bd85015d945684
SHA1 0d2972cf028063d8086fc6207537d8d1796993b7
SHA256 74cb4ffa84249a18ca95cd781bd121a166e2902161a8918d645fa3d6b59032ec
SHA512 836c667aba467655a52a1c13f6d8a4eff844af3aedb115dea2a77244d9294cf605d7030ffc9d30e200c5010251aa78cbe8e5265daebee8c4a0cd107ff3253fc9

memory/4316-172-0x0000000000401000-0x000000000042F000-memory.dmp

memory/4316-171-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4316-173-0x0000000001490000-0x00000000017DA000-memory.dmp