Analysis Overview
SHA256
3f5a623301740e9a78429d41530fde0492026f3cf97d7b1e1fb91babf0c89d06
Threat Level: Known bad
The file Orden_de_embargo__pdf.uue was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
Blocklisted process makes network request
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Enumerates physical storage devices
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-24 06:40
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-24 06:40
Reported
2023-03-24 06:42
Platform
win10v2004-20230220-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Orden_de_embargo__pdf.scr | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtWlbrTJaO.js | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documento-pdf.js | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtWlbrTJaO.js | C:\Windows\SysWOW64\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documento-pdf.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtWlbrTJaO.js | C:\Windows\SysWOW64\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Documento-pdf = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Documento-pdf.js\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Documento-pdf = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Documento-pdf.js\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Documento-pdf = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Documento-pdf.js\"" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Documento-pdf = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Documento-pdf.js\"" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Orden_de_embargo__pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Orden_de_embargo__pdf.scr" /S
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1.bat" "
C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe
Documento-pdf.exe -pDocumento -dC:\Users\Admin\AppData\Local\Temp
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Documento-pdf.js"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FtWlbrTJaO.js"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Documento-pdf.js"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FtWlbrTJaO.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 123.108.74.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | cachi2818.duckdns.org | udp |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | 58.104.205.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.238.32.23.in-addr.arpa | udp |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| US | 8.8.8.8:53 | 37.146.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| FR | 40.79.141.153:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| US | 8.8.8.8:53 | 199.176.139.52.in-addr.arpa | udp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| US | 52.152.110.14:443 | tcp | |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| US | 52.152.110.14:443 | tcp | |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| US | 52.152.110.14:443 | tcp | |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| NL | 173.223.113.164:443 | tcp | |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| IE | 20.54.89.15:443 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | 164.2.77.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.2.77.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\1.bat
| MD5 | eb06c33b8a3d3d5b97437290a6c6667a |
| SHA1 | 01cf7cc470719780ac7426f81e9377a5a2fde2b0 |
| SHA256 | f59a9c3d70113758d4df71aac1b3c7cc4ab7b008625296656ff63889e483f5af |
| SHA512 | e843113f9dc0a7e2222d99081f78ce3df94aadcef40295d811b459d835ae491913dc5f83a4407f877dcaaf71cfbd848be29f1335474bb8e6e9fa52c95617857c |
C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe
| MD5 | 61f92ceaeff088131346a89da5aea358 |
| SHA1 | 280b8377dcabe6a87919f301606cbd19ee2cf94b |
| SHA256 | ece3ab55fbecc5699b7e363b666b06f328b17da05e065e637c87ce08a7c38b2d |
| SHA512 | cdd8f17d65e2e7669a0d8a53df879330b5c4d2ad62b26d4c08c127091bde48e11faf9cbd0e7d3ce7fa392767710cbbe712e3275b102083df87f2478a319847f1 |
C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe
| MD5 | 61f92ceaeff088131346a89da5aea358 |
| SHA1 | 280b8377dcabe6a87919f301606cbd19ee2cf94b |
| SHA256 | ece3ab55fbecc5699b7e363b666b06f328b17da05e065e637c87ce08a7c38b2d |
| SHA512 | cdd8f17d65e2e7669a0d8a53df879330b5c4d2ad62b26d4c08c127091bde48e11faf9cbd0e7d3ce7fa392767710cbbe712e3275b102083df87f2478a319847f1 |
C:\Users\Admin\AppData\Local\Temp\Documento-pdf.js
| MD5 | 00ff505f8de6f97f92a8277e89ed91a0 |
| SHA1 | eb96b024221ad9ea73f4d8ab0ec23e99c007c02c |
| SHA256 | c9ed8584cf9b6fd071b98e94a056d00a84223ca1994a3e514a40e486320b0dd6 |
| SHA512 | ad9e23a5512fddf43b8ff462a1e2dbdb42dd80c97359b614b3aad816116a47003debb77137d2ec4f3fccdbae0fae279404dbf1cc913ebe028f1cc05653b7cc9f |
C:\Users\Admin\AppData\Roaming\FtWlbrTJaO.js
| MD5 | 20610ce7393521f1f07bc5f77ae2935e |
| SHA1 | ec8d679edf1d334ec9bcf1275060ab29b69b71cc |
| SHA256 | cb774141828a2cba93d3b7ec9aa1052a160af7088e769b24a45bd8095c0dedda |
| SHA512 | d63adb503083752371ad1c40c2b92fcd75428eaff30d128d4e55c247a8aab9e78d27e0f7547fcec4cbb56c2d7a2943766d337c715c3536ea400f4ed9c44906a2 |
C:\Users\Admin\AppData\Roaming\Documento-pdf.js
| MD5 | 00ff505f8de6f97f92a8277e89ed91a0 |
| SHA1 | eb96b024221ad9ea73f4d8ab0ec23e99c007c02c |
| SHA256 | c9ed8584cf9b6fd071b98e94a056d00a84223ca1994a3e514a40e486320b0dd6 |
| SHA512 | ad9e23a5512fddf43b8ff462a1e2dbdb42dd80c97359b614b3aad816116a47003debb77137d2ec4f3fccdbae0fae279404dbf1cc913ebe028f1cc05653b7cc9f |
C:\Users\Admin\AppData\Roaming\Documento-pdf.js
| MD5 | 00ff505f8de6f97f92a8277e89ed91a0 |
| SHA1 | eb96b024221ad9ea73f4d8ab0ec23e99c007c02c |
| SHA256 | c9ed8584cf9b6fd071b98e94a056d00a84223ca1994a3e514a40e486320b0dd6 |
| SHA512 | ad9e23a5512fddf43b8ff462a1e2dbdb42dd80c97359b614b3aad816116a47003debb77137d2ec4f3fccdbae0fae279404dbf1cc913ebe028f1cc05653b7cc9f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documento-pdf.js
| MD5 | 00ff505f8de6f97f92a8277e89ed91a0 |
| SHA1 | eb96b024221ad9ea73f4d8ab0ec23e99c007c02c |
| SHA256 | c9ed8584cf9b6fd071b98e94a056d00a84223ca1994a3e514a40e486320b0dd6 |
| SHA512 | ad9e23a5512fddf43b8ff462a1e2dbdb42dd80c97359b614b3aad816116a47003debb77137d2ec4f3fccdbae0fae279404dbf1cc913ebe028f1cc05653b7cc9f |
C:\Users\Admin\AppData\Roaming\FtWlbrTJaO.js
| MD5 | 20610ce7393521f1f07bc5f77ae2935e |
| SHA1 | ec8d679edf1d334ec9bcf1275060ab29b69b71cc |
| SHA256 | cb774141828a2cba93d3b7ec9aa1052a160af7088e769b24a45bd8095c0dedda |
| SHA512 | d63adb503083752371ad1c40c2b92fcd75428eaff30d128d4e55c247a8aab9e78d27e0f7547fcec4cbb56c2d7a2943766d337c715c3536ea400f4ed9c44906a2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtWlbrTJaO.js
| MD5 | 20610ce7393521f1f07bc5f77ae2935e |
| SHA1 | ec8d679edf1d334ec9bcf1275060ab29b69b71cc |
| SHA256 | cb774141828a2cba93d3b7ec9aa1052a160af7088e769b24a45bd8095c0dedda |
| SHA512 | d63adb503083752371ad1c40c2b92fcd75428eaff30d128d4e55c247a8aab9e78d27e0f7547fcec4cbb56c2d7a2943766d337c715c3536ea400f4ed9c44906a2 |
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-24 06:40
Reported
2023-03-24 06:42
Platform
win7-20230220-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtWlbrTJaO.js | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtWlbrTJaO.js | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documento-pdf.js | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtWlbrTJaO.js | C:\Windows\SysWOW64\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documento-pdf.js | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\Documento-pdf = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Documento-pdf.js\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Documento-pdf = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Documento-pdf.js\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\Documento-pdf = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Documento-pdf.js\"" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Documento-pdf = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Documento-pdf.js\"" | C:\Windows\SysWOW64\WScript.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Orden_de_embargo__pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Orden_de_embargo__pdf.scr" /S
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\1.bat" "
C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe
Documento-pdf.exe -pDocumento -dC:\Users\Admin\AppData\Local\Temp
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Documento-pdf.js"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FtWlbrTJaO.js"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Documento-pdf.js"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FtWlbrTJaO.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| US | 8.8.8.8:53 | cachi2818.duckdns.org | udp |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| RU | 23.111.200.87:5449 | javaautorun.duia.ro | tcp |
| SE | 188.126.90.6:1510 | cachi2818.duckdns.org | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\1.bat
| MD5 | eb06c33b8a3d3d5b97437290a6c6667a |
| SHA1 | 01cf7cc470719780ac7426f81e9377a5a2fde2b0 |
| SHA256 | f59a9c3d70113758d4df71aac1b3c7cc4ab7b008625296656ff63889e483f5af |
| SHA512 | e843113f9dc0a7e2222d99081f78ce3df94aadcef40295d811b459d835ae491913dc5f83a4407f877dcaaf71cfbd848be29f1335474bb8e6e9fa52c95617857c |
C:\Users\Admin\AppData\Local\Temp\1.bat
| MD5 | eb06c33b8a3d3d5b97437290a6c6667a |
| SHA1 | 01cf7cc470719780ac7426f81e9377a5a2fde2b0 |
| SHA256 | f59a9c3d70113758d4df71aac1b3c7cc4ab7b008625296656ff63889e483f5af |
| SHA512 | e843113f9dc0a7e2222d99081f78ce3df94aadcef40295d811b459d835ae491913dc5f83a4407f877dcaaf71cfbd848be29f1335474bb8e6e9fa52c95617857c |
\Users\Admin\AppData\Local\Temp\Documento-pdf.exe
| MD5 | 61f92ceaeff088131346a89da5aea358 |
| SHA1 | 280b8377dcabe6a87919f301606cbd19ee2cf94b |
| SHA256 | ece3ab55fbecc5699b7e363b666b06f328b17da05e065e637c87ce08a7c38b2d |
| SHA512 | cdd8f17d65e2e7669a0d8a53df879330b5c4d2ad62b26d4c08c127091bde48e11faf9cbd0e7d3ce7fa392767710cbbe712e3275b102083df87f2478a319847f1 |
C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe
| MD5 | 61f92ceaeff088131346a89da5aea358 |
| SHA1 | 280b8377dcabe6a87919f301606cbd19ee2cf94b |
| SHA256 | ece3ab55fbecc5699b7e363b666b06f328b17da05e065e637c87ce08a7c38b2d |
| SHA512 | cdd8f17d65e2e7669a0d8a53df879330b5c4d2ad62b26d4c08c127091bde48e11faf9cbd0e7d3ce7fa392767710cbbe712e3275b102083df87f2478a319847f1 |
C:\Users\Admin\AppData\Local\Temp\Documento-pdf.exe
| MD5 | 61f92ceaeff088131346a89da5aea358 |
| SHA1 | 280b8377dcabe6a87919f301606cbd19ee2cf94b |
| SHA256 | ece3ab55fbecc5699b7e363b666b06f328b17da05e065e637c87ce08a7c38b2d |
| SHA512 | cdd8f17d65e2e7669a0d8a53df879330b5c4d2ad62b26d4c08c127091bde48e11faf9cbd0e7d3ce7fa392767710cbbe712e3275b102083df87f2478a319847f1 |
C:\Users\Admin\AppData\Local\Temp\Documento-pdf.js
| MD5 | 00ff505f8de6f97f92a8277e89ed91a0 |
| SHA1 | eb96b024221ad9ea73f4d8ab0ec23e99c007c02c |
| SHA256 | c9ed8584cf9b6fd071b98e94a056d00a84223ca1994a3e514a40e486320b0dd6 |
| SHA512 | ad9e23a5512fddf43b8ff462a1e2dbdb42dd80c97359b614b3aad816116a47003debb77137d2ec4f3fccdbae0fae279404dbf1cc913ebe028f1cc05653b7cc9f |
C:\Users\Admin\AppData\Roaming\FtWlbrTJaO.js
| MD5 | 20610ce7393521f1f07bc5f77ae2935e |
| SHA1 | ec8d679edf1d334ec9bcf1275060ab29b69b71cc |
| SHA256 | cb774141828a2cba93d3b7ec9aa1052a160af7088e769b24a45bd8095c0dedda |
| SHA512 | d63adb503083752371ad1c40c2b92fcd75428eaff30d128d4e55c247a8aab9e78d27e0f7547fcec4cbb56c2d7a2943766d337c715c3536ea400f4ed9c44906a2 |
C:\Users\Admin\AppData\Roaming\Documento-pdf.js
| MD5 | 00ff505f8de6f97f92a8277e89ed91a0 |
| SHA1 | eb96b024221ad9ea73f4d8ab0ec23e99c007c02c |
| SHA256 | c9ed8584cf9b6fd071b98e94a056d00a84223ca1994a3e514a40e486320b0dd6 |
| SHA512 | ad9e23a5512fddf43b8ff462a1e2dbdb42dd80c97359b614b3aad816116a47003debb77137d2ec4f3fccdbae0fae279404dbf1cc913ebe028f1cc05653b7cc9f |
C:\Users\Admin\AppData\Roaming\Documento-pdf.js
| MD5 | 00ff505f8de6f97f92a8277e89ed91a0 |
| SHA1 | eb96b024221ad9ea73f4d8ab0ec23e99c007c02c |
| SHA256 | c9ed8584cf9b6fd071b98e94a056d00a84223ca1994a3e514a40e486320b0dd6 |
| SHA512 | ad9e23a5512fddf43b8ff462a1e2dbdb42dd80c97359b614b3aad816116a47003debb77137d2ec4f3fccdbae0fae279404dbf1cc913ebe028f1cc05653b7cc9f |
C:\Users\Admin\AppData\Roaming\FtWlbrTJaO.js
| MD5 | 20610ce7393521f1f07bc5f77ae2935e |
| SHA1 | ec8d679edf1d334ec9bcf1275060ab29b69b71cc |
| SHA256 | cb774141828a2cba93d3b7ec9aa1052a160af7088e769b24a45bd8095c0dedda |
| SHA512 | d63adb503083752371ad1c40c2b92fcd75428eaff30d128d4e55c247a8aab9e78d27e0f7547fcec4cbb56c2d7a2943766d337c715c3536ea400f4ed9c44906a2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documento-pdf.js
| MD5 | 00ff505f8de6f97f92a8277e89ed91a0 |
| SHA1 | eb96b024221ad9ea73f4d8ab0ec23e99c007c02c |
| SHA256 | c9ed8584cf9b6fd071b98e94a056d00a84223ca1994a3e514a40e486320b0dd6 |
| SHA512 | ad9e23a5512fddf43b8ff462a1e2dbdb42dd80c97359b614b3aad816116a47003debb77137d2ec4f3fccdbae0fae279404dbf1cc913ebe028f1cc05653b7cc9f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtWlbrTJaO.js
| MD5 | 20610ce7393521f1f07bc5f77ae2935e |
| SHA1 | ec8d679edf1d334ec9bcf1275060ab29b69b71cc |
| SHA256 | cb774141828a2cba93d3b7ec9aa1052a160af7088e769b24a45bd8095c0dedda |
| SHA512 | d63adb503083752371ad1c40c2b92fcd75428eaff30d128d4e55c247a8aab9e78d27e0f7547fcec4cbb56c2d7a2943766d337c715c3536ea400f4ed9c44906a2 |