Malware Analysis Report

2024-11-30 15:43

Sample ID 230113-kt64gabe2v
Target REQUEST FOR MV W-MAYFAIR.js
SHA256 cee54813009042b01b4ebd1afbf99160b0c25465b7530332ba5bb064be6eba63
Tags
asyncrat vjw0rm default rat spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cee54813009042b01b4ebd1afbf99160b0c25465b7530332ba5bb064be6eba63

Threat Level: Known bad

The file REQUEST FOR MV W-MAYFAIR.js was found to be: Known bad.

Malicious Activity Summary

asyncrat vjw0rm default rat spyware stealer trojan worm

AsyncRat

Vjw0rm

Async RAT payload

Blocklisted process makes network request

Executes dropped EXE

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-13 08:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-13 08:54

Reported

2023-01-13 08:57

Platform

win7-20221111-en

Max time kernel

147s

Max time network

151s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\REQUEST FOR MV W-MAYFAIR.js"

Signatures

AsyncRat

rat asyncrat

Vjw0rm

trojan worm vjw0rm

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Recycle Bin.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtFYVjAgTz.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtFYVjAgTz.js C:\Windows\System32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Recycle Bin.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 296 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2024 wrote to memory of 296 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2024 wrote to memory of 296 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2024 wrote to memory of 460 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
PID 2024 wrote to memory of 460 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
PID 2024 wrote to memory of 460 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
PID 2024 wrote to memory of 460 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
PID 460 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 460 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 460 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 460 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1832 wrote to memory of 316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1832 wrote to memory of 316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1832 wrote to memory of 316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1832 wrote to memory of 316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 460 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 460 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 460 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 460 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 544 wrote to memory of 1344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 544 wrote to memory of 1344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 544 wrote to memory of 1344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 544 wrote to memory of 1344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 544 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Recycle Bin.exe
PID 544 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Recycle Bin.exe
PID 544 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Recycle Bin.exe
PID 544 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Recycle Bin.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\REQUEST FOR MV W-MAYFAIR.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FtFYVjAgTz.js"

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Recycle Bin" /tr '"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"' & exit

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Recycle Bin" /tr '"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"'

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp14E8.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Recycle Bin.exe

"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 84.21.172.33:8808 tcp
N/A 84.21.172.33:8808 tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp

Files

memory/2024-54-0x000007FEFC2D1000-0x000007FEFC2D3000-memory.dmp

memory/296-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\FtFYVjAgTz.js

MD5 7586d9e4467d26fde97538eab36cf88c
SHA1 d7fcd37e0bc9e790023a38d2d470cd001f81ca92
SHA256 7aff4cbd997ad6886484076ba71d1c067931d9a1462aa16e9d2fc47b4d5b8f18
SHA512 02676bd1e1086eeae9bdec3bce065ac97267c457daf6fbd77a783d7fc81fc6f891518d6fd19dd525e84ebd25e3098614c4bbefa71ded301cd3a7a46ed2a40e0a

memory/460-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

MD5 1b5be7647628e1de782bb8f33d369dd3
SHA1 cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256 fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA512 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

MD5 1b5be7647628e1de782bb8f33d369dd3
SHA1 cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256 fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA512 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155

memory/460-60-0x0000000000E40000-0x0000000000E52000-memory.dmp

memory/460-62-0x00000000760D1000-0x00000000760D3000-memory.dmp

memory/1832-63-0x0000000000000000-mapping.dmp

memory/316-64-0x0000000000000000-mapping.dmp

memory/544-65-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp14E8.tmp.bat

MD5 1f60ee76a720ac6e6ab1275e8d9e370b
SHA1 c0f2f19008a7c05ab6e69918bbd3d21305211bce
SHA256 ac025daa5c2452a960ba059005a7c8217323f783cd01f7935528ad03eb58d041
SHA512 f4833574fd729a51e9d1af17217062e5977204f1110e6a9c6062d65a52e2465806f9876079564657266c733b59ef8f91ba7ffeac8471dd4d0e7025c6d1132adb

memory/1344-67-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\Recycle Bin.exe

MD5 1b5be7647628e1de782bb8f33d369dd3
SHA1 cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256 fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA512 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155

C:\Users\Admin\AppData\Roaming\Recycle Bin.exe

MD5 1b5be7647628e1de782bb8f33d369dd3
SHA1 cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256 fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA512 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155

C:\Users\Admin\AppData\Roaming\Recycle Bin.exe

MD5 1b5be7647628e1de782bb8f33d369dd3
SHA1 cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256 fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA512 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155

memory/1364-70-0x0000000000000000-mapping.dmp

memory/1364-72-0x00000000010E0000-0x00000000010F2000-memory.dmp

memory/1364-74-0x00000000058D0000-0x000000000594E000-memory.dmp

memory/1364-75-0x0000000000670000-0x000000000067A000-memory.dmp

memory/1364-76-0x0000000005AD0000-0x0000000005B60000-memory.dmp

memory/1364-77-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-13 08:54

Reported

2023-01-13 08:57

Platform

win10v2004-20221111-en

Max time kernel

142s

Max time network

151s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\REQUEST FOR MV W-MAYFAIR.js"

Signatures

AsyncRat

rat asyncrat

Vjw0rm

trojan worm vjw0rm

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Recycle Bin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtFYVjAgTz.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtFYVjAgTz.js C:\Windows\System32\wscript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Recycle Bin.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 372 wrote to memory of 4940 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 372 wrote to memory of 4940 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 372 wrote to memory of 4996 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
PID 372 wrote to memory of 4996 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
PID 372 wrote to memory of 4996 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
PID 4996 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 4996 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 4996 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 4996 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 4996 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 4996 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1076 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1076 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2844 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2844 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2844 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2844 wrote to memory of 5052 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Recycle Bin.exe
PID 2844 wrote to memory of 5052 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Recycle Bin.exe
PID 2844 wrote to memory of 5052 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Recycle Bin.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\REQUEST FOR MV W-MAYFAIR.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FtFYVjAgTz.js"

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Recycle Bin" /tr '"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7FD3.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Recycle Bin" /tr '"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Recycle Bin.exe

"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 209.197.3.8:80 tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 84.21.172.33:6606 tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 84.21.172.33:6606 tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 209.197.3.8:80 tcp
N/A 20.189.173.11:443 tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 104.80.225.205:443 tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp

Files

memory/4940-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\FtFYVjAgTz.js

MD5 7586d9e4467d26fde97538eab36cf88c
SHA1 d7fcd37e0bc9e790023a38d2d470cd001f81ca92
SHA256 7aff4cbd997ad6886484076ba71d1c067931d9a1462aa16e9d2fc47b4d5b8f18
SHA512 02676bd1e1086eeae9bdec3bce065ac97267c457daf6fbd77a783d7fc81fc6f891518d6fd19dd525e84ebd25e3098614c4bbefa71ded301cd3a7a46ed2a40e0a

memory/4996-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

MD5 1b5be7647628e1de782bb8f33d369dd3
SHA1 cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256 fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA512 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

MD5 1b5be7647628e1de782bb8f33d369dd3
SHA1 cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256 fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA512 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155

memory/4996-137-0x0000000000240000-0x0000000000252000-memory.dmp

memory/4996-138-0x0000000004D10000-0x0000000004DAC000-memory.dmp

memory/1076-139-0x0000000000000000-mapping.dmp

memory/2844-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7FD3.tmp.bat

MD5 7992de01af08d08ca180f7698efd9d6f
SHA1 110093addb8489a40d547912e58d65d62e126d7d
SHA256 0d05720a0966d99bdc852f86268a8e88a9b1bcd3a65a1f0ca3eb2f1baad3b6bc
SHA512 2130256f80836409e1048c1c56a940bca5443eb039d555aea3c779716974fc4e3b83ffd3d53fe79e667198cb5fa41487a0c28f587fdc944c2b21c942a8997eba

memory/1472-141-0x0000000000000000-mapping.dmp

memory/1792-143-0x0000000000000000-mapping.dmp

memory/5052-144-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Recycle Bin.exe

MD5 1b5be7647628e1de782bb8f33d369dd3
SHA1 cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256 fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA512 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155

C:\Users\Admin\AppData\Roaming\Recycle Bin.exe

MD5 1b5be7647628e1de782bb8f33d369dd3
SHA1 cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256 fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA512 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155

memory/5052-147-0x0000000005B30000-0x00000000060D4000-memory.dmp

memory/5052-148-0x00000000055F0000-0x0000000005656000-memory.dmp

memory/5052-149-0x0000000006960000-0x00000000069D6000-memory.dmp

memory/5052-150-0x0000000006A00000-0x0000000006A1E000-memory.dmp