Malware Analysis Report

2024-11-30 15:43

Sample ID 230113-kwp8qsbe3v
Target MV BMC ENDORA V0123- PDA.js
SHA256 cee54813009042b01b4ebd1afbf99160b0c25465b7530332ba5bb064be6eba63
Tags
asyncrat vjw0rm default rat spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cee54813009042b01b4ebd1afbf99160b0c25465b7530332ba5bb064be6eba63

Threat Level: Known bad

The file MV BMC ENDORA V0123- PDA.js was found to be: Known bad.

Malicious Activity Summary

asyncrat vjw0rm default rat spyware stealer trojan worm

Vjw0rm

AsyncRat

Async RAT payload

Executes dropped EXE

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Enumerates physical storage devices

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-13 08:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-13 08:57

Reported

2023-01-13 08:59

Platform

win7-20220812-en

Max time kernel

146s

Max time network

152s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\MV BMC ENDORA V0123- PDA.js"

Signatures

AsyncRat

rat asyncrat

Vjw0rm

trojan worm vjw0rm

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Recycle Bin.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtFYVjAgTz.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtFYVjAgTz.js C:\Windows\System32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Recycle Bin.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1816 wrote to memory of 1756 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1816 wrote to memory of 1756 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1816 wrote to memory of 1756 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1816 wrote to memory of 1956 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
PID 1816 wrote to memory of 1956 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
PID 1816 wrote to memory of 1956 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
PID 1816 wrote to memory of 1956 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
PID 1956 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1928 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1928 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1928 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1868 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1868 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1868 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1868 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Recycle Bin.exe
PID 1868 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Recycle Bin.exe
PID 1868 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Recycle Bin.exe
PID 1868 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Recycle Bin.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\MV BMC ENDORA V0123- PDA.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FtFYVjAgTz.js"

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Recycle Bin" /tr '"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5E18.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Recycle Bin" /tr '"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Recycle Bin.exe

"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 84.21.172.33:8808 tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 84.21.172.33:8808 tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp

Files

memory/1816-54-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

memory/1756-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\FtFYVjAgTz.js

MD5 7586d9e4467d26fde97538eab36cf88c
SHA1 d7fcd37e0bc9e790023a38d2d470cd001f81ca92
SHA256 7aff4cbd997ad6886484076ba71d1c067931d9a1462aa16e9d2fc47b4d5b8f18
SHA512 02676bd1e1086eeae9bdec3bce065ac97267c457daf6fbd77a783d7fc81fc6f891518d6fd19dd525e84ebd25e3098614c4bbefa71ded301cd3a7a46ed2a40e0a

memory/1956-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

MD5 1b5be7647628e1de782bb8f33d369dd3
SHA1 cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256 fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA512 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

MD5 1b5be7647628e1de782bb8f33d369dd3
SHA1 cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256 fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA512 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155

memory/1956-61-0x0000000000E30000-0x0000000000E42000-memory.dmp

memory/1956-62-0x00000000756A1000-0x00000000756A3000-memory.dmp

memory/1928-63-0x0000000000000000-mapping.dmp

memory/1868-64-0x0000000000000000-mapping.dmp

memory/552-65-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5E18.tmp.bat

MD5 283069a509dcbec665140fd9d1cb1125
SHA1 b8c7494ec6c7612cd09a0b80a5bee48e84f72dbd
SHA256 157ebfe2f54922b9e7dd683dd576ab8c832cc130ea0c6b90a09a45b95ec132a1
SHA512 5febd13491c244783d6cab407d642a16057d722402c352e172412403edd614c3fbfe1e7de72f37c2cb06e770a09c72bf9f2e71cdd7f882bc402a83d4f205cbf7

memory/1620-67-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\Recycle Bin.exe

MD5 1b5be7647628e1de782bb8f33d369dd3
SHA1 cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256 fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA512 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155

C:\Users\Admin\AppData\Roaming\Recycle Bin.exe

MD5 1b5be7647628e1de782bb8f33d369dd3
SHA1 cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256 fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA512 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155

memory/1880-70-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Recycle Bin.exe

MD5 1b5be7647628e1de782bb8f33d369dd3
SHA1 cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256 fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA512 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155

memory/1880-72-0x00000000003B0000-0x00000000003C2000-memory.dmp

memory/1880-74-0x0000000005330000-0x00000000053AE000-memory.dmp

memory/1880-75-0x00000000006E0000-0x00000000006EA000-memory.dmp

memory/1880-76-0x0000000005C10000-0x0000000005CA0000-memory.dmp

memory/1880-77-0x0000000005A20000-0x0000000005A80000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-13 08:57

Reported

2023-01-13 08:59

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

152s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\MV BMC ENDORA V0123- PDA.js"

Signatures

AsyncRat

rat asyncrat

Vjw0rm

trojan worm vjw0rm

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Recycle Bin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtFYVjAgTz.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtFYVjAgTz.js C:\Windows\System32\wscript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Recycle Bin.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 960 wrote to memory of 1080 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 960 wrote to memory of 1080 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 960 wrote to memory of 580 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
PID 960 wrote to memory of 580 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
PID 960 wrote to memory of 580 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
PID 580 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 580 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 580 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 580 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 580 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 580 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 1172 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1172 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1172 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4360 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4360 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4360 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4360 wrote to memory of 3940 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Recycle Bin.exe
PID 4360 wrote to memory of 3940 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Recycle Bin.exe
PID 4360 wrote to memory of 3940 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Recycle Bin.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\MV BMC ENDORA V0123- PDA.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FtFYVjAgTz.js"

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Recycle Bin" /tr '"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8E2B.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Recycle Bin" /tr '"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Recycle Bin.exe

"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 93.184.220.29:80 tcp
N/A 93.184.220.29:80 tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 84.21.172.33:6606 tcp
N/A 84.21.172.33:6606 tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 52.182.143.210:443 tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa udp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp
N/A 194.5.98.97:5443 javaautorun.duia.ro tcp

Files

memory/1080-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\FtFYVjAgTz.js

MD5 7586d9e4467d26fde97538eab36cf88c
SHA1 d7fcd37e0bc9e790023a38d2d470cd001f81ca92
SHA256 7aff4cbd997ad6886484076ba71d1c067931d9a1462aa16e9d2fc47b4d5b8f18
SHA512 02676bd1e1086eeae9bdec3bce065ac97267c457daf6fbd77a783d7fc81fc6f891518d6fd19dd525e84ebd25e3098614c4bbefa71ded301cd3a7a46ed2a40e0a

memory/580-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

MD5 1b5be7647628e1de782bb8f33d369dd3
SHA1 cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256 fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA512 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

MD5 1b5be7647628e1de782bb8f33d369dd3
SHA1 cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256 fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA512 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155

memory/580-137-0x0000000000D30000-0x0000000000D42000-memory.dmp

memory/580-138-0x00000000057D0000-0x000000000586C000-memory.dmp

memory/1172-139-0x0000000000000000-mapping.dmp

memory/4360-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8E2B.tmp.bat

MD5 e113f3895ad67011505e2fe3e1f48a71
SHA1 60c5f2be1c75922ec5ade991021207f07e0b256a
SHA256 5eb779a9f9077d5ae74d09f601fa0ce68a8cd27c858918bc6c1319f479e4aaec
SHA512 291359cf8ee4f2adbda15561ef825d00fd91eca6b6c97596e3123d397f603a2f5bd69d201aff9c975d81cb00044f4709da131e665c186fb9ece72867e8f48b40

memory/4472-142-0x0000000000000000-mapping.dmp

memory/1460-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Recycle Bin.exe

MD5 1b5be7647628e1de782bb8f33d369dd3
SHA1 cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256 fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA512 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155

memory/3940-144-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Recycle Bin.exe

MD5 1b5be7647628e1de782bb8f33d369dd3
SHA1 cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256 fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA512 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155

memory/3940-147-0x0000000005680000-0x0000000005C24000-memory.dmp

memory/3940-148-0x0000000005140000-0x00000000051A6000-memory.dmp

memory/3940-149-0x00000000064B0000-0x0000000006526000-memory.dmp

memory/3940-150-0x0000000006560000-0x000000000657E000-memory.dmp