Analysis Overview
SHA256
ccfaa79a104470403d9a10a38f44afab9a5038860d32505f66cf891a02c3e804
Threat Level: Known bad
The file Scanned copies.js was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
WSHRAT
Blocklisted process makes network request
Drops startup file
Checks computer location settings
Adds Run key to start application
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Script User-Agent
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-31 06:21
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-31 06:21
Reported
2022-10-31 06:24
Platform
win10v2004-20220812-en
Max time kernel
147s
Max time network
159s
Command Line
Signatures
Vjw0rm
WSHRAT
Blocklisted process makes network request
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scanned copies.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scanned copies.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 31/10/2022|JavaScript | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 676 wrote to memory of 1304 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 676 wrote to memory of 1304 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 676 wrote to memory of 4280 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 676 wrote to memory of 4280 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 4280 wrote to memory of 5016 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 4280 wrote to memory of 5016 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Scanned copies.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HdtXkspDNv.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Scanned copies.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HdtXkspDNv.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.252.118.126:80 | tcp | |
| US | 8.252.118.126:80 | tcp | |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| NL | 185.252.178.17:5050 | 185.252.178.17 | tcp |
| NG | 41.217.14.122:5465 | javaautorun.duia.ro | tcp |
| NG | 41.217.14.122:5465 | javaautorun.duia.ro | tcp |
| NL | 185.252.178.17:5050 | 185.252.178.17 | tcp |
| US | 8.252.118.126:80 | tcp | |
| NG | 41.217.14.122:5465 | javaautorun.duia.ro | tcp |
| NG | 41.217.14.122:5465 | javaautorun.duia.ro | tcp |
| NL | 185.252.178.17:5050 | 185.252.178.17 | tcp |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.252.118.126:80 | tcp | |
| US | 8.253.209.121:80 | tcp | |
| NL | 185.252.178.17:5050 | tcp | |
| NG | 41.217.14.122:5465 | javaautorun.duia.ro | tcp |
| NG | 41.217.14.122:5465 | javaautorun.duia.ro | tcp |
| NL | 185.252.178.17:5050 | 185.252.178.17 | tcp |
| NL | 185.252.178.17:5050 | 185.252.178.17 | tcp |
| NG | 41.217.14.122:5465 | javaautorun.duia.ro | tcp |
| NG | 41.217.14.122:5465 | javaautorun.duia.ro | tcp |
| NL | 185.252.178.17:5050 | 185.252.178.17 | tcp |
| NL | 185.252.178.17:5050 | 185.252.178.17 | tcp |
| NG | 41.217.14.122:5465 | javaautorun.duia.ro | tcp |
| NG | 41.217.14.122:5465 | javaautorun.duia.ro | tcp |
| NL | 185.252.178.17:5050 | 185.252.178.17 | tcp |
| NL | 185.252.178.17:5050 | 185.252.178.17 | tcp |
| NL | 185.252.178.17:5050 | 185.252.178.17 | tcp |
| NG | 41.217.14.122:5465 | javaautorun.duia.ro | tcp |
| NG | 41.217.14.122:5465 | javaautorun.duia.ro | tcp |
| NL | 185.252.178.17:5050 | 185.252.178.17 | tcp |
Files
memory/1304-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\HdtXkspDNv.js
| MD5 | 0b3fb1c1e7a5cfdc66b4d3985815e6ff |
| SHA1 | 2bdade957c852dee5c052729e2a464bbd2454082 |
| SHA256 | b92a038dd2b2a329c201677af46b4269ca638c4a19f5ee164cf8c14e80ce488e |
| SHA512 | 4bc41bf95c80f657b68f7236c741336b71e5cc460003b52eb5b817a14411babe357c413d0f45751f02d82915a63a67f132a022d376fb6ed3df6c8e509e31abea |
memory/4280-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Scanned copies.js
| MD5 | 49b13da43564fd53f17eb0a803a92a09 |
| SHA1 | ed74e4ea8cb53499dc36335814d82ac31cc6d0c7 |
| SHA256 | ccfaa79a104470403d9a10a38f44afab9a5038860d32505f66cf891a02c3e804 |
| SHA512 | a58239e5320361022ed9d5d63831029f1589e9e29132f676bba796157b3d2c1c1a1509635cddfd12ba8b6ad37744115039bdf95632ceec481621c5639b713d31 |
memory/5016-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\HdtXkspDNv.js
| MD5 | 0b3fb1c1e7a5cfdc66b4d3985815e6ff |
| SHA1 | 2bdade957c852dee5c052729e2a464bbd2454082 |
| SHA256 | b92a038dd2b2a329c201677af46b4269ca638c4a19f5ee164cf8c14e80ce488e |
| SHA512 | 4bc41bf95c80f657b68f7236c741336b71e5cc460003b52eb5b817a14411babe357c413d0f45751f02d82915a63a67f132a022d376fb6ed3df6c8e509e31abea |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scanned copies.js
| MD5 | 49b13da43564fd53f17eb0a803a92a09 |
| SHA1 | ed74e4ea8cb53499dc36335814d82ac31cc6d0c7 |
| SHA256 | ccfaa79a104470403d9a10a38f44afab9a5038860d32505f66cf891a02c3e804 |
| SHA512 | a58239e5320361022ed9d5d63831029f1589e9e29132f676bba796157b3d2c1c1a1509635cddfd12ba8b6ad37744115039bdf95632ceec481621c5639b713d31 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js
| MD5 | 0b3fb1c1e7a5cfdc66b4d3985815e6ff |
| SHA1 | 2bdade957c852dee5c052729e2a464bbd2454082 |
| SHA256 | b92a038dd2b2a329c201677af46b4269ca638c4a19f5ee164cf8c14e80ce488e |
| SHA512 | 4bc41bf95c80f657b68f7236c741336b71e5cc460003b52eb5b817a14411babe357c413d0f45751f02d82915a63a67f132a022d376fb6ed3df6c8e509e31abea |
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-31 06:21
Reported
2022-10-31 06:24
Platform
win7-20220812-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Vjw0rm
WSHRAT
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scanned copies.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scanned copies.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scanned copies = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scanned copies.js\"" | C:\Windows\System32\wscript.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 31/10/2022|JavaScript | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1988 wrote to memory of 1664 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1988 wrote to memory of 1664 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1988 wrote to memory of 1664 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1988 wrote to memory of 1472 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1988 wrote to memory of 1472 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1988 wrote to memory of 1472 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1472 wrote to memory of 1756 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1472 wrote to memory of 1756 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1472 wrote to memory of 1756 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Scanned copies.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HdtXkspDNv.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Scanned copies.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HdtXkspDNv.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| NG | 41.217.14.122:5465 | javaautorun.duia.ro | tcp |
| NG | 41.217.14.122:5465 | javaautorun.duia.ro | tcp |
| NL | 185.252.178.17:5050 | 185.252.178.17 | tcp |
| NL | 185.252.178.17:5050 | 185.252.178.17 | tcp |
| NL | 185.252.178.17:5050 | 185.252.178.17 | tcp |
| NG | 41.217.14.122:5465 | javaautorun.duia.ro | tcp |
| NG | 41.217.14.122:5465 | javaautorun.duia.ro | tcp |
| NL | 185.252.178.17:5050 | 185.252.178.17 | tcp |
| NL | 185.252.178.17:5050 | 185.252.178.17 | tcp |
| NG | 41.217.14.122:5465 | javaautorun.duia.ro | tcp |
| NG | 41.217.14.122:5465 | javaautorun.duia.ro | tcp |
| NL | 185.252.178.17:5050 | 185.252.178.17 | tcp |
| NG | 41.217.14.122:5465 | javaautorun.duia.ro | tcp |
| NG | 41.217.14.122:5465 | javaautorun.duia.ro | tcp |
| NL | 185.252.178.17:5050 | 185.252.178.17 | tcp |
| NL | 185.252.178.17:5050 | 185.252.178.17 | tcp |
| NL | 185.252.178.17:5050 | 185.252.178.17 | tcp |
| NG | 41.217.14.122:5465 | javaautorun.duia.ro | tcp |
| NG | 41.217.14.122:5465 | javaautorun.duia.ro | tcp |
| NL | 185.252.178.17:5050 | 185.252.178.17 | tcp |
| NL | 185.252.178.17:5050 | 185.252.178.17 | tcp |
Files
memory/1988-54-0x000007FEFBF01000-0x000007FEFBF03000-memory.dmp
memory/1664-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\HdtXkspDNv.js
| MD5 | 0b3fb1c1e7a5cfdc66b4d3985815e6ff |
| SHA1 | 2bdade957c852dee5c052729e2a464bbd2454082 |
| SHA256 | b92a038dd2b2a329c201677af46b4269ca638c4a19f5ee164cf8c14e80ce488e |
| SHA512 | 4bc41bf95c80f657b68f7236c741336b71e5cc460003b52eb5b817a14411babe357c413d0f45751f02d82915a63a67f132a022d376fb6ed3df6c8e509e31abea |
memory/1472-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Scanned copies.js
| MD5 | 49b13da43564fd53f17eb0a803a92a09 |
| SHA1 | ed74e4ea8cb53499dc36335814d82ac31cc6d0c7 |
| SHA256 | ccfaa79a104470403d9a10a38f44afab9a5038860d32505f66cf891a02c3e804 |
| SHA512 | a58239e5320361022ed9d5d63831029f1589e9e29132f676bba796157b3d2c1c1a1509635cddfd12ba8b6ad37744115039bdf95632ceec481621c5639b713d31 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scanned copies.js
| MD5 | 49b13da43564fd53f17eb0a803a92a09 |
| SHA1 | ed74e4ea8cb53499dc36335814d82ac31cc6d0c7 |
| SHA256 | ccfaa79a104470403d9a10a38f44afab9a5038860d32505f66cf891a02c3e804 |
| SHA512 | a58239e5320361022ed9d5d63831029f1589e9e29132f676bba796157b3d2c1c1a1509635cddfd12ba8b6ad37744115039bdf95632ceec481621c5639b713d31 |
memory/1756-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\HdtXkspDNv.js
| MD5 | 0b3fb1c1e7a5cfdc66b4d3985815e6ff |
| SHA1 | 2bdade957c852dee5c052729e2a464bbd2454082 |
| SHA256 | b92a038dd2b2a329c201677af46b4269ca638c4a19f5ee164cf8c14e80ce488e |
| SHA512 | 4bc41bf95c80f657b68f7236c741336b71e5cc460003b52eb5b817a14411babe357c413d0f45751f02d82915a63a67f132a022d376fb6ed3df6c8e509e31abea |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HdtXkspDNv.js
| MD5 | 0b3fb1c1e7a5cfdc66b4d3985815e6ff |
| SHA1 | 2bdade957c852dee5c052729e2a464bbd2454082 |
| SHA256 | b92a038dd2b2a329c201677af46b4269ca638c4a19f5ee164cf8c14e80ce488e |
| SHA512 | 4bc41bf95c80f657b68f7236c741336b71e5cc460003b52eb5b817a14411babe357c413d0f45751f02d82915a63a67f132a022d376fb6ed3df6c8e509e31abea |