Malware Analysis Report

2024-11-30 15:43

Sample ID 230113-k3sbnsbe6w
Target MV BMC ENDORA V0123- PDA.js
SHA256 cee54813009042b01b4ebd1afbf99160b0c25465b7530332ba5bb064be6eba63
Tags
asyncrat vjw0rm default rat trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cee54813009042b01b4ebd1afbf99160b0c25465b7530332ba5bb064be6eba63

Threat Level: Known bad

The file MV BMC ENDORA V0123- PDA.js was found to be: Known bad.

Malicious Activity Summary

asyncrat vjw0rm default rat trojan worm

AsyncRat

Vjw0rm

Async RAT payload

Executes dropped EXE

Blocklisted process makes network request

Checks computer location settings

Loads dropped DLL

Drops startup file

Enumerates physical storage devices

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-13 09:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-13 09:07

Reported

2023-01-13 09:10

Platform

win7-20221111-en

Max time kernel

147s

Max time network

151s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\MV BMC ENDORA V0123- PDA.js"

Signatures

AsyncRat

rat asyncrat

Vjw0rm

trojan worm vjw0rm

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Recycle Bin.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtFYVjAgTz.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtFYVjAgTz.js C:\Windows\System32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Recycle Bin.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1336 wrote to memory of 556 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1336 wrote to memory of 556 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1336 wrote to memory of 556 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1336 wrote to memory of 764 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
PID 1336 wrote to memory of 764 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
PID 1336 wrote to memory of 764 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
PID 1336 wrote to memory of 764 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
PID 764 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 764 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 764 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 764 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 764 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 764 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 764 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 764 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1888 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1888 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1888 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 316 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 316 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 316 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 316 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 316 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Recycle Bin.exe
PID 316 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Recycle Bin.exe
PID 316 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Recycle Bin.exe
PID 316 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Recycle Bin.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\MV BMC ENDORA V0123- PDA.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FtFYVjAgTz.js"

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Recycle Bin" /tr '"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1DFD.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Recycle Bin" /tr '"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Recycle Bin.exe

"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 84.21.172.33:8808 tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp

Files

memory/1336-54-0x000007FEFBDD1000-0x000007FEFBDD3000-memory.dmp

memory/556-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\FtFYVjAgTz.js

MD5 7586d9e4467d26fde97538eab36cf88c
SHA1 d7fcd37e0bc9e790023a38d2d470cd001f81ca92
SHA256 7aff4cbd997ad6886484076ba71d1c067931d9a1462aa16e9d2fc47b4d5b8f18
SHA512 02676bd1e1086eeae9bdec3bce065ac97267c457daf6fbd77a783d7fc81fc6f891518d6fd19dd525e84ebd25e3098614c4bbefa71ded301cd3a7a46ed2a40e0a

memory/764-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

MD5 1b5be7647628e1de782bb8f33d369dd3
SHA1 cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256 fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA512 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

MD5 1b5be7647628e1de782bb8f33d369dd3
SHA1 cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256 fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA512 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155

memory/764-61-0x0000000000BD0000-0x0000000000BE2000-memory.dmp

memory/764-62-0x0000000075491000-0x0000000075493000-memory.dmp

memory/1888-63-0x0000000000000000-mapping.dmp

memory/316-64-0x0000000000000000-mapping.dmp

memory/864-65-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1DFD.tmp.bat

MD5 b082887b65398b485f4d092b71bc92e2
SHA1 21755648ebd2f9acb7319285e281fb7dc52907ad
SHA256 266ba56cca74e30d895cbb31b9266697a5af8d8c909f583e72a9d9649ad779c2
SHA512 c04bfe2a550b3fecdb45d224f456a92c218f69914e80c0a5c465338482802bd19c4751e601dd59561f956eaa9834af8d9558a930ecb1366b190b12113dc4588b

memory/1092-67-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\Recycle Bin.exe

MD5 1b5be7647628e1de782bb8f33d369dd3
SHA1 cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256 fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA512 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155

C:\Users\Admin\AppData\Roaming\Recycle Bin.exe

MD5 1b5be7647628e1de782bb8f33d369dd3
SHA1 cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256 fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA512 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155

memory/1432-70-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Recycle Bin.exe

MD5 1b5be7647628e1de782bb8f33d369dd3
SHA1 cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256 fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA512 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155

memory/1432-72-0x0000000000CF0000-0x0000000000D02000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-13 09:07

Reported

2023-01-13 09:10

Platform

win10v2004-20220812-en

Max time kernel

142s

Max time network

152s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\MV BMC ENDORA V0123- PDA.js"

Signatures

AsyncRat

rat asyncrat

Vjw0rm

trojan worm vjw0rm

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Recycle Bin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtFYVjAgTz.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtFYVjAgTz.js C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Recycle Bin.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2812 wrote to memory of 4768 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2812 wrote to memory of 4768 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2812 wrote to memory of 1972 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
PID 2812 wrote to memory of 1972 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
PID 2812 wrote to memory of 1972 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
PID 1972 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1540 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1540 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1760 wrote to memory of 2252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1760 wrote to memory of 2252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1760 wrote to memory of 2252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1760 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Recycle Bin.exe
PID 1760 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Recycle Bin.exe
PID 1760 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Recycle Bin.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\MV BMC ENDORA V0123- PDA.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FtFYVjAgTz.js"

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Recycle Bin" /tr '"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAA1F.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Recycle Bin" /tr '"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Recycle Bin.exe

"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 84.21.172.33:6606 tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 93.184.220.29:80 tcp
N/A 93.184.220.29:80 tcp
N/A 8.252.118.126:80 tcp
N/A 8.253.209.121:80 tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp

Files

memory/4768-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\FtFYVjAgTz.js

MD5 7586d9e4467d26fde97538eab36cf88c
SHA1 d7fcd37e0bc9e790023a38d2d470cd001f81ca92
SHA256 7aff4cbd997ad6886484076ba71d1c067931d9a1462aa16e9d2fc47b4d5b8f18
SHA512 02676bd1e1086eeae9bdec3bce065ac97267c457daf6fbd77a783d7fc81fc6f891518d6fd19dd525e84ebd25e3098614c4bbefa71ded301cd3a7a46ed2a40e0a

memory/1972-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

MD5 1b5be7647628e1de782bb8f33d369dd3
SHA1 cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256 fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA512 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

MD5 1b5be7647628e1de782bb8f33d369dd3
SHA1 cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256 fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA512 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155

memory/1972-137-0x0000000000BA0000-0x0000000000BB2000-memory.dmp

memory/1972-138-0x0000000005850000-0x00000000058EC000-memory.dmp

memory/1540-139-0x0000000000000000-mapping.dmp

memory/1760-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAA1F.tmp.bat

MD5 2547ecb37ec068cfecedbdf134b5a575
SHA1 012274179c2395a7ba9c0d67e38d1b4328eda6bd
SHA256 68bd9ecad3ece2a746c2880527cadaa72595c20962adcbacb32ae03db1e48903
SHA512 5813c436a2e100660d70c789504314d2b15cc3d8f1aa0ab21e7428951b27487cb4adb7d39b178e0fdea73300ad2c6c49bb4314b1ba6e950608d523794e30a4f4

memory/4816-142-0x0000000000000000-mapping.dmp

memory/2252-143-0x0000000000000000-mapping.dmp

memory/224-144-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Recycle Bin.exe

MD5 1b5be7647628e1de782bb8f33d369dd3
SHA1 cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256 fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA512 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155

C:\Users\Admin\AppData\Roaming\Recycle Bin.exe

MD5 1b5be7647628e1de782bb8f33d369dd3
SHA1 cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256 fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA512 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155

memory/224-147-0x0000000005D40000-0x00000000062E4000-memory.dmp

memory/224-148-0x0000000005800000-0x0000000005866000-memory.dmp