Analysis Overview
SHA256
c6504bae5d10711f8b818b90eec6eea42a97a0c02129421b5e0b07225c6eca77
Threat Level: Known bad
The file facturas vencidas.js was found to be: Known bad.
Malicious Activity Summary
WSHRAT
Blocklisted process makes network request
Drops startup file
Adds Run key to start application
Looks up external IP address via web service
Enumerates physical storage devices
Script User-Agent
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-10-26 20:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-10-26 20:21
Reported
2021-10-26 20:25
Platform
win7-en-20210920
Max time kernel
147s
Max time network
187s
Command Line
Signatures
WSHRAT
Blocklisted process makes network request
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\facturas vencidas.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\facturas vencidas.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\facturas vencidas = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\facturas vencidas.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\facturas vencidas = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\facturas vencidas.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\facturas vencidas = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\facturas vencidas.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\facturas vencidas = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\facturas vencidas.js\"" | C:\Windows\System32\wscript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 268 wrote to memory of 1328 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 268 wrote to memory of 1328 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 268 wrote to memory of 1328 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\facturas vencidas.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\facturas vencidas.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | titopeo1.duckdns.org | udp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
Files
memory/1328-54-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\facturas vencidas.js
| MD5 | 4002af6477f7e690003fcaa27f1711b5 |
| SHA1 | 62bf21de613699c3e43d8db585ea42d34e492dfc |
| SHA256 | c6504bae5d10711f8b818b90eec6eea42a97a0c02129421b5e0b07225c6eca77 |
| SHA512 | f5a1d7e8ea6fba6ad4f8faf70690f0450a4daf969263bc9cea94c72f82d22b138b2630e94c0c035a3137e09cb28e5fedffc4fc2fdcfe51f26397f60d14011430 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\facturas vencidas.js
| MD5 | 4002af6477f7e690003fcaa27f1711b5 |
| SHA1 | 62bf21de613699c3e43d8db585ea42d34e492dfc |
| SHA256 | c6504bae5d10711f8b818b90eec6eea42a97a0c02129421b5e0b07225c6eca77 |
| SHA512 | f5a1d7e8ea6fba6ad4f8faf70690f0450a4daf969263bc9cea94c72f82d22b138b2630e94c0c035a3137e09cb28e5fedffc4fc2fdcfe51f26397f60d14011430 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-10-26 20:21
Reported
2021-10-26 20:24
Platform
win10-en-20211014
Max time kernel
147s
Max time network
151s
Command Line
Signatures
WSHRAT
Blocklisted process makes network request
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\facturas vencidas.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\facturas vencidas.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\facturas vencidas = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\facturas vencidas.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\facturas vencidas = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\facturas vencidas.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\facturas vencidas = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\facturas vencidas.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\facturas vencidas = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\facturas vencidas.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3940 wrote to memory of 2324 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 3940 wrote to memory of 2324 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\facturas vencidas.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\facturas vencidas.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | titopeo1.duckdns.org | udp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
| US | 192.169.69.26:9781 | titopeo1.duckdns.org | tcp |
Files
memory/2324-115-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\facturas vencidas.js
| MD5 | 4002af6477f7e690003fcaa27f1711b5 |
| SHA1 | 62bf21de613699c3e43d8db585ea42d34e492dfc |
| SHA256 | c6504bae5d10711f8b818b90eec6eea42a97a0c02129421b5e0b07225c6eca77 |
| SHA512 | f5a1d7e8ea6fba6ad4f8faf70690f0450a4daf969263bc9cea94c72f82d22b138b2630e94c0c035a3137e09cb28e5fedffc4fc2fdcfe51f26397f60d14011430 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\facturas vencidas.js
| MD5 | 4002af6477f7e690003fcaa27f1711b5 |
| SHA1 | 62bf21de613699c3e43d8db585ea42d34e492dfc |
| SHA256 | c6504bae5d10711f8b818b90eec6eea42a97a0c02129421b5e0b07225c6eca77 |
| SHA512 | f5a1d7e8ea6fba6ad4f8faf70690f0450a4daf969263bc9cea94c72f82d22b138b2630e94c0c035a3137e09cb28e5fedffc4fc2fdcfe51f26397f60d14011430 |