Malware Analysis Report

2025-04-14 08:27

Sample ID 211026-y5bzcsace3
Target facturas vencidas.js
SHA256 c6504bae5d10711f8b818b90eec6eea42a97a0c02129421b5e0b07225c6eca77
Tags
wshrat persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c6504bae5d10711f8b818b90eec6eea42a97a0c02129421b5e0b07225c6eca77

Threat Level: Known bad

The file facturas vencidas.js was found to be: Known bad.

Malicious Activity Summary

wshrat persistence trojan

WSHRAT

Blocklisted process makes network request

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Enumerates physical storage devices

Script User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-10-26 20:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-10-26 20:21

Reported

2021-10-26 20:25

Platform

win7-en-20210920

Max time kernel

147s

Max time network

187s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\facturas vencidas.js"

Signatures

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\facturas vencidas.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\facturas vencidas.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\facturas vencidas = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\facturas vencidas.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\facturas vencidas = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\facturas vencidas.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\facturas vencidas = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\facturas vencidas.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\facturas vencidas = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\facturas vencidas.js\"" C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 268 wrote to memory of 1328 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 268 wrote to memory of 1328 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 268 wrote to memory of 1328 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\facturas vencidas.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\facturas vencidas.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 titopeo1.duckdns.org udp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp

Files

memory/1328-54-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\facturas vencidas.js

MD5 4002af6477f7e690003fcaa27f1711b5
SHA1 62bf21de613699c3e43d8db585ea42d34e492dfc
SHA256 c6504bae5d10711f8b818b90eec6eea42a97a0c02129421b5e0b07225c6eca77
SHA512 f5a1d7e8ea6fba6ad4f8faf70690f0450a4daf969263bc9cea94c72f82d22b138b2630e94c0c035a3137e09cb28e5fedffc4fc2fdcfe51f26397f60d14011430

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\facturas vencidas.js

MD5 4002af6477f7e690003fcaa27f1711b5
SHA1 62bf21de613699c3e43d8db585ea42d34e492dfc
SHA256 c6504bae5d10711f8b818b90eec6eea42a97a0c02129421b5e0b07225c6eca77
SHA512 f5a1d7e8ea6fba6ad4f8faf70690f0450a4daf969263bc9cea94c72f82d22b138b2630e94c0c035a3137e09cb28e5fedffc4fc2fdcfe51f26397f60d14011430

Analysis: behavioral2

Detonation Overview

Submitted

2021-10-26 20:21

Reported

2021-10-26 20:24

Platform

win10-en-20211014

Max time kernel

147s

Max time network

151s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\facturas vencidas.js"

Signatures

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\facturas vencidas.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\facturas vencidas.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\facturas vencidas = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\facturas vencidas.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\facturas vencidas = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\facturas vencidas.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\facturas vencidas = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\facturas vencidas.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\facturas vencidas = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\facturas vencidas.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3940 wrote to memory of 2324 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 3940 wrote to memory of 2324 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\facturas vencidas.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\facturas vencidas.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 titopeo1.duckdns.org udp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 8.8.8.8:53 time.windows.com udp
NL 20.101.57.9:123 time.windows.com udp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp
US 192.169.69.26:9781 titopeo1.duckdns.org tcp

Files

memory/2324-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\facturas vencidas.js

MD5 4002af6477f7e690003fcaa27f1711b5
SHA1 62bf21de613699c3e43d8db585ea42d34e492dfc
SHA256 c6504bae5d10711f8b818b90eec6eea42a97a0c02129421b5e0b07225c6eca77
SHA512 f5a1d7e8ea6fba6ad4f8faf70690f0450a4daf969263bc9cea94c72f82d22b138b2630e94c0c035a3137e09cb28e5fedffc4fc2fdcfe51f26397f60d14011430

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\facturas vencidas.js

MD5 4002af6477f7e690003fcaa27f1711b5
SHA1 62bf21de613699c3e43d8db585ea42d34e492dfc
SHA256 c6504bae5d10711f8b818b90eec6eea42a97a0c02129421b5e0b07225c6eca77
SHA512 f5a1d7e8ea6fba6ad4f8faf70690f0450a4daf969263bc9cea94c72f82d22b138b2630e94c0c035a3137e09cb28e5fedffc4fc2fdcfe51f26397f60d14011430