Malware Analysis Report

2025-01-18 12:22

Sample ID 221109-t9e5cscafq
Target kmEgggSTWx_ayorecover.js
SHA256 950be081ea324e3251d4dc0f6d3a5a6af714ebd929e2d9b35cfff08202751e52
Tags
vjw0rm wshrat persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

950be081ea324e3251d4dc0f6d3a5a6af714ebd929e2d9b35cfff08202751e52

Threat Level: Known bad

The file kmEgggSTWx_ayorecover.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm wshrat persistence trojan worm

Vjw0rm

WSHRAT

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Enumerates physical storage devices

Script User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-09 16:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-09 16:45

Reported

2022-11-09 16:49

Platform

win7-20220812-en

Max time kernel

154s

Max time network

177s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\kmEgggSTWx_ayorecover.js

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BprNPhymLq.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kmEgggSTWx_ayorecover.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BprNPhymLq.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kmEgggSTWx_ayorecover.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kmEgggSTWx_ayorecover = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\kmEgggSTWx_ayorecover.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kmEgggSTWx_ayorecover = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\kmEgggSTWx_ayorecover.js\"" C:\Windows\system32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 9/11/2022|JavaScript-v3.4|01:Unknown N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 9/11/2022|JavaScript-v3.4|01:Unknown N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 9/11/2022|JavaScript-v3.4|01:Unknown N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 9/11/2022|JavaScript-v3.4|01:Unknown N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 9/11/2022|JavaScript-v3.4|01:Unknown N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 9/11/2022|JavaScript-v3.4|01:Unknown N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 9/11/2022|JavaScript-v3.4|01:Unknown N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 9/11/2022|JavaScript-v3.4|01:Unknown N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 9/11/2022|JavaScript-v3.4|01:Unknown N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 9/11/2022|JavaScript-v3.4|01:Unknown N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 9/11/2022|JavaScript-v3.4|01:Unknown N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 9/11/2022|JavaScript-v3.4|01:Unknown N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 9/11/2022|JavaScript-v3.4|01:Unknown N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 9/11/2022|JavaScript-v3.4|01:Unknown N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 9/11/2022|JavaScript-v3.4|01:Unknown N/A N/A
HTTP User-Agent header WSHRAT|5C41F0CB|ZERMMMDR|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 9/11/2022|JavaScript-v3.4|01:Unknown N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1452 wrote to memory of 1076 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1452 wrote to memory of 1076 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1452 wrote to memory of 1076 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\kmEgggSTWx_ayorecover.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BprNPhymLq.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 javaautorun.duia.ro udp
US 5.62.56.23:5465 javaautorun.duia.ro tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
US 5.62.56.23:5465 javaautorun.duia.ro tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
US 5.62.56.23:5465 javaautorun.duia.ro tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 tcp
US 5.62.56.23:5465 javaautorun.duia.ro tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
US 5.62.56.23:5465 javaautorun.duia.ro tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp

Files

memory/1452-54-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

memory/1076-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\BprNPhymLq.js

MD5 6c2af27200986f8a2a4bac88f60f9a12
SHA1 d5b09e6f0a53e449b35d1f2e7181e5edb2b9ef6f
SHA256 ff3f6f415f3833a0b197b2036f0241b3d43ade5418ed053d98246e0af4861058
SHA512 157b94223d5df4899c74071019a8169d52d1dfebccebdf7a0254fef7c5c45116b8c9893c614bed93ede40f1e06893d0bd5a4a438a23d299293a63f8246e1f9e2

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-09 16:45

Reported

2022-11-09 16:48

Platform

win10v2004-20220901-en

Max time kernel

154s

Max time network

160s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\kmEgggSTWx_ayorecover.js

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kmEgggSTWx_ayorecover.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kmEgggSTWx_ayorecover.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BprNPhymLq.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BprNPhymLq.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kmEgggSTWx_ayorecover = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\kmEgggSTWx_ayorecover.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kmEgggSTWx_ayorecover = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\kmEgggSTWx_ayorecover.js\"" C:\Windows\system32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4956 wrote to memory of 808 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4956 wrote to memory of 808 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\kmEgggSTWx_ayorecover.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BprNPhymLq.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
US 5.62.56.23:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
US 52.182.141.63:443 tcp
FR 2.18.109.224:443 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
US 5.62.56.23:5465 javaautorun.duia.ro tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
US 5.62.56.23:5465 javaautorun.duia.ro tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
US 93.184.221.240:80 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
US 5.62.56.23:5465 javaautorun.duia.ro tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
US 5.62.56.23:5465 javaautorun.duia.ro tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
NL 45.139.105.174:3670 45.139.105.174 tcp
US 5.62.56.23:5465 javaautorun.duia.ro tcp
NL 45.139.105.174:3670 45.139.105.174 tcp

Files

memory/808-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\BprNPhymLq.js

MD5 6c2af27200986f8a2a4bac88f60f9a12
SHA1 d5b09e6f0a53e449b35d1f2e7181e5edb2b9ef6f
SHA256 ff3f6f415f3833a0b197b2036f0241b3d43ade5418ed053d98246e0af4861058
SHA512 157b94223d5df4899c74071019a8169d52d1dfebccebdf7a0254fef7c5c45116b8c9893c614bed93ede40f1e06893d0bd5a4a438a23d299293a63f8246e1f9e2