Malware Analysis Report

2025-01-18 12:20

Sample ID 221101-x7s5zsedg3
Target proof of payment.js
SHA256 63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e
Tags
vjw0rm wshrat persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e

Threat Level: Known bad

The file proof of payment.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm wshrat persistence trojan worm

Vjw0rm

WSHRAT

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Script User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-01 19:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-01 19:30

Reported

2022-11-01 19:32

Platform

win7-20220812-en

Max time kernel

150s

Max time network

152s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\proof of payment.js"

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proof of payment.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proof of payment.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EsgAyEJrOf.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EsgAyEJrOf.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EsgAyEJrOf.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\proof of payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\proof of payment.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\proof of payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\proof of payment.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\proof of payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\proof of payment.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\proof of payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\proof of payment.js\"" C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\proof of payment.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\EsgAyEJrOf.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\proof of payment.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\EsgAyEJrOf.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
US 8.8.8.8:53 harold.jetos.com udp
US 8.8.8.8:53 javaautorun.duia.ro udp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
NL 109.206.243.106:1604 harold.jetos.com tcp

Files

memory/1192-54-0x000007FEFC391000-0x000007FEFC393000-memory.dmp

memory/1708-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\EsgAyEJrOf.js

MD5 69231c3446c45e0863b0f2ce4ca548ee
SHA1 aa1b5083657f41f604bb5682e52f5016b434f929
SHA256 2d587addbe7f7cbe295ed2364fac0ed6d4d95cc4528672d46067ae0f5cf64535
SHA512 a1626d532d85d703e2e7aca73f51f1bca448e985a060d7c419bf56235fc69cbc007d4e0c2606e2d951a799d8de3f51c8c0c3333da3edc2f00f31dd5beb3c515b

memory/1204-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\proof of payment.js

MD5 0d0b5b04e14fcc092409742a84532f26
SHA1 7d978a6f7f07629eb04a126d7a94a19662d0951f
SHA256 63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e
SHA512 b8cdb6164ccd45ad4ca94a3a5491e8d9a0b6a3e3aed56439994a59293141ae9ff3e80cecb4507373bb0ead9e796a83a381e2873f269bc3a100be365ef3c20c4f

memory/764-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proof of payment.js

MD5 0d0b5b04e14fcc092409742a84532f26
SHA1 7d978a6f7f07629eb04a126d7a94a19662d0951f
SHA256 63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e
SHA512 b8cdb6164ccd45ad4ca94a3a5491e8d9a0b6a3e3aed56439994a59293141ae9ff3e80cecb4507373bb0ead9e796a83a381e2873f269bc3a100be365ef3c20c4f

C:\Users\Admin\AppData\Roaming\EsgAyEJrOf.js

MD5 69231c3446c45e0863b0f2ce4ca548ee
SHA1 aa1b5083657f41f604bb5682e52f5016b434f929
SHA256 2d587addbe7f7cbe295ed2364fac0ed6d4d95cc4528672d46067ae0f5cf64535
SHA512 a1626d532d85d703e2e7aca73f51f1bca448e985a060d7c419bf56235fc69cbc007d4e0c2606e2d951a799d8de3f51c8c0c3333da3edc2f00f31dd5beb3c515b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EsgAyEJrOf.js

MD5 69231c3446c45e0863b0f2ce4ca548ee
SHA1 aa1b5083657f41f604bb5682e52f5016b434f929
SHA256 2d587addbe7f7cbe295ed2364fac0ed6d4d95cc4528672d46067ae0f5cf64535
SHA512 a1626d532d85d703e2e7aca73f51f1bca448e985a060d7c419bf56235fc69cbc007d4e0c2606e2d951a799d8de3f51c8c0c3333da3edc2f00f31dd5beb3c515b

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-01 19:30

Reported

2022-11-01 19:32

Platform

win10v2004-20220812-en

Max time kernel

149s

Max time network

153s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\proof of payment.js"

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proof of payment.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EsgAyEJrOf.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EsgAyEJrOf.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proof of payment.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EsgAyEJrOf.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\proof of payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\proof of payment.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\proof of payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\proof of payment.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\proof of payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\proof of payment.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\proof of payment = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\proof of payment.js\"" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5104 wrote to memory of 1792 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 5104 wrote to memory of 1792 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 5104 wrote to memory of 4324 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 5104 wrote to memory of 4324 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4324 wrote to memory of 4744 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe
PID 4324 wrote to memory of 4744 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\proof of payment.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\EsgAyEJrOf.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\proof of payment.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\EsgAyEJrOf.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
US 8.8.8.8:53 harold.jetos.com udp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
US 93.184.220.29:80 tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
US 20.42.65.89:443 tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
NL 109.206.243.106:1604 harold.jetos.com tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NG 41.217.12.189:5465 javaautorun.duia.ro tcp
NL 109.206.243.106:1604 harold.jetos.com tcp

Files

memory/1792-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\EsgAyEJrOf.js

MD5 69231c3446c45e0863b0f2ce4ca548ee
SHA1 aa1b5083657f41f604bb5682e52f5016b434f929
SHA256 2d587addbe7f7cbe295ed2364fac0ed6d4d95cc4528672d46067ae0f5cf64535
SHA512 a1626d532d85d703e2e7aca73f51f1bca448e985a060d7c419bf56235fc69cbc007d4e0c2606e2d951a799d8de3f51c8c0c3333da3edc2f00f31dd5beb3c515b

memory/4324-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\proof of payment.js

MD5 0d0b5b04e14fcc092409742a84532f26
SHA1 7d978a6f7f07629eb04a126d7a94a19662d0951f
SHA256 63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e
SHA512 b8cdb6164ccd45ad4ca94a3a5491e8d9a0b6a3e3aed56439994a59293141ae9ff3e80cecb4507373bb0ead9e796a83a381e2873f269bc3a100be365ef3c20c4f

C:\Users\Admin\AppData\Roaming\EsgAyEJrOf.js

MD5 69231c3446c45e0863b0f2ce4ca548ee
SHA1 aa1b5083657f41f604bb5682e52f5016b434f929
SHA256 2d587addbe7f7cbe295ed2364fac0ed6d4d95cc4528672d46067ae0f5cf64535
SHA512 a1626d532d85d703e2e7aca73f51f1bca448e985a060d7c419bf56235fc69cbc007d4e0c2606e2d951a799d8de3f51c8c0c3333da3edc2f00f31dd5beb3c515b

memory/4744-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\proof of payment.js

MD5 0d0b5b04e14fcc092409742a84532f26
SHA1 7d978a6f7f07629eb04a126d7a94a19662d0951f
SHA256 63ada20c4214f2995f841de3cffabfc465d5bff1b4bee0cf4ebac7be643fb67e
SHA512 b8cdb6164ccd45ad4ca94a3a5491e8d9a0b6a3e3aed56439994a59293141ae9ff3e80cecb4507373bb0ead9e796a83a381e2873f269bc3a100be365ef3c20c4f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EsgAyEJrOf.js

MD5 69231c3446c45e0863b0f2ce4ca548ee
SHA1 aa1b5083657f41f604bb5682e52f5016b434f929
SHA256 2d587addbe7f7cbe295ed2364fac0ed6d4d95cc4528672d46067ae0f5cf64535
SHA512 a1626d532d85d703e2e7aca73f51f1bca448e985a060d7c419bf56235fc69cbc007d4e0c2606e2d951a799d8de3f51c8c0c3333da3edc2f00f31dd5beb3c515b