Click to jump to signature section
| Source: | Binary string: Q~-HL[%cNrhgSW+;`W@;^jOoOG.]eI&bi?bW~HTFLp@HCP}WtE|=hd|iV]<H*9M@xWxF-oblXk7ojdFF]WrLdm9\C^-k~KWf)h'l1LAh=G5kP78p.?@ZR_<;u9Q_hMK@%8Q_jMW78]>PKhb@pey9IeAYMJ[gyiBKwd~pp7lb@niCnk3\PFT9xcsGZGo_DCqi*pNeO[ZodN/J(>GL(;5Bk9_E,=lP+ZhI-c1F)Hr;n^3cqE:gie<h$c`[}`IXKj,<rgQn:[bZ>Cvj0mwK*g@\r]0bT?o]|A5hJM7LuZJ8)IY=/@pCfA4foBWZ?]IYR`ZX1I:p.PdB<hi79=`ibHzp`Fa8);pY.],>^Ink@=HGBp2i4dC_2cyF source: wscript.exe, 00000000.00000003.653609519.0000015B4AE1D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.666868007.0000015B4AE39000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.660072732.0000015B4AE2D000.00000004.00000020.00020000.00000000.sdmp |
| Source: | Binary string: flcH3[wc-rJF7KBHGX4MFWgehMcgAldLcZQl:<4Ej[$OcZ,\MetGVmG`>mVp>p1[<j+OUA.WP9;DkbFM<LIN?Y.PDB#?f_PhUImNNm'WmiSi~NeOEgAGBM_Hs_.IEZYA5l&k7oNGVK:J|HCBo]yJZ@U:.7Y@:Y&>\FQiZ]'X]oS:[8%\z;.9NCdpFE\=lCT9`hb9,WAGL?1JOM,oa;$eUk>O2^]JbM+]GcDGN8*g]b89DW3h9j|JcCeI9=AKpnuA1=S>bCCm,_&DAm+n+L^]&M_B\@_XKmKcS[J[}BIp}<2N`IzfxXv_xP~gY=k<uiL`AhWLrJnW`=IOxp+AeIt<|Lv:`Z3Gv^tH^LeA(dBXn@sovL.b`z source: wscript.exe, 00000000.00000003.653609519.0000015B4AE1D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.666868007.0000015B4AE39000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.660072732.0000015B4AE2D000.00000004.00000020.00020000.00000000.sdmp |
| Source: C:\Windows\System32\cmd.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\ | Jump to behavior |
| Source: C:\Windows\System32\cmd.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft\ | Jump to behavior |
| Source: C:\Windows\System32\cmd.exe | File opened: C:\Users\user\AppData\ | Jump to behavior |
| Source: C:\Windows\System32\cmd.exe | File opened: C:\Users\user\AppData\Roaming\ | Jump to behavior |
| Source: C:\Windows\System32\cmd.exe | File opened: C:\Users\user\ | Jump to behavior |
| Source: C:\Windows\System32\cmd.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ | Jump to behavior |
| Source: wscript.exe, 00000005.00000002.1214841659.0000022DB0DA5000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://mypersonalstuffs.s3.us-east-2.a |
| Source: wscript.exe, 00000005.00000003.802488887.0000022DB0F70000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://mypersonalstuffs.s3.us-east-2.amazonaws.com/ |
| Source: wscript.exe, 00000005.00000002.1215255251.0000022DB2CB5000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://mypersonalstuffs.s3.us-east-2.amazonaws.com/P-17-4?=gksnbdoeubridykgfipturpczljqavceihudwvdm |
| Source: wscript.exe, 00000005.00000003.802488887.0000022DB0F70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.1215255251.0000022DB2CB5000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://mypersonalstuffs.s3.us-east-2.amazonaws.com/soprateste.zip?=atkjuxwveovmyjckdjseehbfgqkczrwg |
| Source: unknown | Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\Comprovativo de pagamento_2866-XRNM_15-02-2022 06-43-54_28.vbs" | |
| Source: unknown | Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\lpmjqbfzsjc.vbs" | |
| Source: unknown | Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\kqoajtkeidqm.vbs" | |
| Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\hprncvhclpq.vbs" | |
| Source: unknown | Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\kqoajtkeidqm.vbs" | |
| Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\hprncvhclpq.vbs" | |
| Source: unknown | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bzxwbpjxtlj.cmd" " | |
| Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
| Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe "C:\Users\user\AppData\Local\Temp\44519395947455\nlntbxxnjiuohtmer4296072781085.dll" mJ8Lf9v0GZnptOVNb2I | |
| Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\hprncvhclpq.vbs" | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\hprncvhclpq.vbs" | |
| Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe "C:\Users\user\AppData\Local\Temp\44519395947455\nlntbxxnjiuohtmer4296072781085.dll" mJ8Lf9v0GZnptOVNb2I | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | File read: C:\Windows\System32\drivers\etc\hosts | |
| Source: C:\Windows\System32\wscript.exe | File read: C:\Windows\System32\drivers\etc\hosts | |
| Source: | Binary string: Q~-HL[%cNrhgSW+;`W@;^jOoOG.]eI&bi?bW~HTFLp@HCP}WtE|=hd|iV]<H*9M@xWxF-oblXk7ojdFF]WrLdm9\C^-k~KWf)h'l1LAh=G5kP78p.?@ZR_<;u9Q_hMK@%8Q_jMW78]>PKhb@pey9IeAYMJ[gyiBKwd~pp7lb@niCnk3\PFT9xcsGZGo_DCqi*pNeO[ZodN/J(>GL(;5Bk9_E,=lP+ZhI-c1F)Hr;n^3cqE:gie<h$c`[}`IXKj,<rgQn:[bZ>Cvj0mwK*g@\r]0bT?o]|A5hJM7LuZJ8)IY=/@pCfA4foBWZ?]IYR`ZX1I:p.PdB<hi79=`ibHzp`Fa8);pY.],>^Ink@=HGBp2i4dC_2cyF source: wscript.exe, 00000000.00000003.653609519.0000015B4AE1D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.666868007.0000015B4AE39000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.660072732.0000015B4AE2D000.00000004.00000020.00020000.00000000.sdmp |
| Source: | Binary string: flcH3[wc-rJF7KBHGX4MFWgehMcgAldLcZQl:<4Ej[$OcZ,\MetGVmG`>mVp>p1[<j+OUA.WP9;DkbFM<LIN?Y.PDB#?f_PhUImNNm'WmiSi~NeOEgAGBM_Hs_.IEZYA5l&k7oNGVK:J|HCBo]yJZ@U:.7Y@:Y&>\FQiZ]'X]oS:[8%\z;.9NCdpFE\=lCT9`hb9,WAGL?1JOM,oa;$eUk>O2^]JbM+]GcDGN8*g]b89DW3h9j|JcCeI9=AKpnuA1=S>bCCm,_&DAm+n+L^]&M_B\@_XKmKcS[J[}BIp}<2N`IzfxXv_xP~gY=k<uiL`AhWLrJnW`=IOxp+AeIt<|Lv:`Z3Gv^tH^LeA(dBXn@sovL.b`z source: wscript.exe, 00000000.00000003.653609519.0000015B4AE1D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.666868007.0000015B4AE39000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.660072732.0000015B4AE2D000.00000004.00000020.00020000.00000000.sdmp |
| Source: C:\Windows\System32\wscript.exe | File created: C:\Users\user\AppData\Roaming\lpmjqbfzsjc.vbs | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | File created: C:\Users\user\AppData\Local\Temp\hprncvhclpq.vbs | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | File created: C:\Users\user\AppData\Local\Temp\kqoajtkeidqm.vbs | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | File created: C:\Users\user\AppData\Roaming\clqaooxjymm.vbs | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | File created: C:\Users\user\AppData\Roaming\nlpwowbvfyb.vbs | |
| Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | |
| Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | |
| Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | |
| Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | |
| Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | |
| Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Window found: window name: WSH-Timer | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Window found: window name: WSH-Timer | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Window found: window name: WSH-Timer | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Window found: window name: WSH-Timer | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Window found: window name: WSH-Timer | |
| Source: C:\Windows\System32\wscript.exe | Window found: window name: WSH-Timer | |
| Source: C:\Windows\System32\cmd.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\ | Jump to behavior |
| Source: C:\Windows\System32\cmd.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft\ | Jump to behavior |
| Source: C:\Windows\System32\cmd.exe | File opened: C:\Users\user\AppData\ | Jump to behavior |
| Source: C:\Windows\System32\cmd.exe | File opened: C:\Users\user\AppData\Roaming\ | Jump to behavior |
| Source: C:\Windows\System32\cmd.exe | File opened: C:\Users\user\ | Jump to behavior |
| Source: C:\Windows\System32\cmd.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ | Jump to behavior |
| Source: wscript.exe, 00000000.00000003.663134735.0000015B4B82D000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: cUWH<[Pcdr[\bZqJ0@'MI^oC|CWZ0=x>~KjG{=S@Hl49%BYZ[H^EeD\CHpmJmIs8D`'M~[lJKDRiamfGy]KC~cr`VmcI%]Nir?f_G8=os?P7z=?Z}@uEpn`L+K>JgNsg|<G\IX9d}m;eHk^WpIdg1YH_vHpA1\SmJ]rLU91F=I7Jsj<_sIr8(?`m1lrZbn+F3g8lV[hIZg#jHj$L_eTAx^BI<M/P'DQ`M^omLe%mxHR=AOvd'd5iGNSnv[`n2\ydfk9FNi7NXluF5>9d0WV]CAZi{bgW:Bnkge=M/Gnp*fTpqmX_>PWhvZ1mZMrnffnhKk)k3MU@6Z+hAfeK,gK7LM)_8\n\=8sC(]uW\>I>$\K^{menHG]Z8 |
| Source: wscript.exe, 00000000.00000003.678253319.0000015B667AA000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: lCCHk[pcVr|AKEYZMp)I%dNj*7\AF_X@OdOhlLXOzZv@?c|>@AIc28P;a`pXa:rJ5kbA/;bbAico1[ep1W`@1]<@(oSA/cyEXJbi`WRjZA\B4<;Ya\_gQj?BhO)@YkDN~FKLRmaAwL5poH;dsDMP{m@LVX-Y+>x7$o/d*b'hd84Bji`_zKIXT<?9Q=UK|OcIRF9C|le[\W[C|j]LFX,dN]R:rCTbk8|9W^Nj)B)cXMh:[LY:vXCG<=Ij4iLEC]=iUpi]R<dGe^-X.O7dOj:GcFiE:ZzegPL_&AC9bKQDN?Nc6jKBBh.hi:TC,<x7;YSEs=`e5<W[O\qbnLJ<yKVMci|>$eS=PAld2iJPyJ:gakQK/_\C%dF% |
| Source: wscript.exe, 00000000.00000003.666453256.0000015B49A59000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: SKjHz[ScKr}<|NmNlDTO_e{;)JpO^WUXpA5lmDY[B7{ZxW<9FPl>jXsZK@A_Bk|:*XvMCIuMZWeO+gMBu<-X?Os[^91fZ]}^]=Pcqca\N8I8#\_MJ?3G/L?;XYXi]D~Y7ZkbkYJkR=K9R7I8@<{8FAmOI;-lsoc^oArkxPtPQpKE`8TA3h`kJF7CV;Tc%]$E_F(l=7%INC>dkW*:qcg`uW_oaXs>#K-E4Gzc+[,^cL2gK\BHJ_w:`9PD`dEe%pIK1LFCr@Z?gkL^KPsd;J.JtbBDccX9Rm\`RAJ8Dn;IE=impjNO{GX`v^(?3`:F3G]pPdI>W[)G\m&B~J4]CFhiEGi8i<HKzZ]]X;yJic:bjiG[JDANUJA1 |
| Source: wscript.exe, 00000005.00000002.1231079656.0000022DB6863000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Rem lBMuINljHyGAUiFLhMVUyuKAFWwssqpBleaPvpNbIPhGfshetmjxVdVqaLplOtrRLFPoIrQswtMlMTUNqUwFGsfHLjnjAbPQZRxactXBZrwbTjeHrbvtumLSYHdWDerXevOuZtjxzxhPuEoaFftYgVXlGeCVQzwsAbzZZjlzswxzDxWUUCTW |
| Source: wscript.exe, 00000005.00000002.1231079656.0000022DB6863000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Rem gwMPLHBjyYccqNhDGlNjEjtnTOfBoEWyVZwKjbygcKwRlxtvIzYlFxsxFYvxayxvBcITOHTemfHembBXVjtqemuWeCVMfCFcdCQHoKhBduyYpOJcZKarGFQPijnLmHyiadBiNuhuCsNlnViStroGaPZWmAYEmZPXvQwLNKQcrfoOsebPAXSv |
| Source: wscript.exe, 00000005.00000002.1231079656.0000022DB6863000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Rem yofYscERURhOZiMfhRSrfAXLYtGfxDbKLUiKAvsWRwjNHzuNAicfSROwTVywZYVRpIDCymfmWtagRJCbwufNKvHtFlHevuBrdTWytsOPCqHYpggISZAcsIrtALzPdBqdrjDwmDhGfSJioiDWDwOWuYwVbdyiuwjBydgFciZPptxawHFSGYLe |
| Source: wscript.exe, 00000000.00000003.660072732.0000015B4AE2D000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: k8GHq[=cRrIbJKxZinGcTfeY9[]j(f[hKgc82d_AQH5;oIMWtfsA[`zj4ezY_c8EC\cF|Ms_#L<`vO?^/ii9~7XL|cW>ud9C.hvMcI[P|BfcHd6p>[fLgZIl48cA1gRK3o,W'pnH^Nv=AP/=HY_;3^SFb:mp(e2]3c>Mz8^GPBEFx:BjiWaWr;4oV<YYO]VI$Ch][LSC8B{Pdg@bt86C[k{<1;#OVj>]r]#nN@0YpMiWJ?k`VMs:Pf^l*8<M`7:7/MmG69IPTX,Y+PhGo]XHoF>o3LppLfT8O]5PjJS?lJW:zkLb}MN`3d7=T]Hlh_QYmBKjC]ueCP}PQ<C:TAykCnz>RCz?gFkA>E'eGE4Z1<KhQ]7K>L\K |
| Source: wscript.exe, 00000000.00000003.680219094.0000015B665C5000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: wL`H'[NcFr>I(I}mRL1F|F}fVC/m|MMBsF89lInEU?9f{>*BodNG;mAKgXw_]gMi#hQX&h&@/Deon>[NroJf6E*9jg{e(PL[4kIDs>h9>C:P*C<?Y7-kTd}OKJxp@N:b%O4Pbpo`N=ZFJp}F9kql;E#KjXb;fKvmCi=J/ADG>Xmdl]vK=G7_]?GI(DG^r:e9=JHX(ZfJag.dGOP[KF)i1>_Gp@LiT\9l1APe[]V7lP)=_?GbagNYYKQPu<O\m9;DXijB27ao'WJ8;>U;8khkx7x`;\HH~BpMF:dECh8O,8593[/CWJQjJY4E7KC8`O=_ag}l'PVmrh`\WKWOH\UXY<hX@=eO^</OmJWnFK=iOeBYtCTfe[|4 |
| Source: wscript.exe, 00000005.00000002.1231079656.0000022DB6863000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Rem hKpocPTuLsjMLSpySFhJeXWQEmUtDGVJRFUdMtKWgAGvQvvAUieGdAZNCYjrvKqEWavFzMnWeLcePbAIrTYUaPfQhHbmIicGJBWpAqDIvGbTWszaWaAbAXdJueZqjAPvhXVNDMIAQRYUmOrpJBPhiAGnWPuVUNYusfjCWlZNTyNjzJZgnggh |
| Source: wscript.exe, 00000005.00000002.1231079656.0000022DB6863000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Rem vmrtBijZPHxWQbGSHxtjMTzPIKlljYVUdUwauPoCDvCppfLIimdWWcGbobjbwwnpmctvdeZsHrgRQIYcPbCzuzxBOXmSeMEEINCNmQdDPmQgvpMfDGOXvpvpfshIsENvmcIDGNrywyiIhPFWJGPWwiIUSNfugVLLYUvTgIYrQPZxFmHSmJwl |
| Source: wscript.exe, 00000000.00000003.653609519.0000015B4AE1D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.666868007.0000015B4AE39000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.660072732.0000015B4AE2D000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: LA$HN[BcwrhP|[rGVhR?wW[WfWv<8IH8EO5:|\_JSoB_(C.p5E@\Acr=U8h?k:J^:Ia\.c?e1n_GPC^].C)HOF3_:;iNKIMZ5Bmez^>Np?Z]ZdN@4i6i%@_XQbyO0F`^`;0ia@rlsJAYy<v@PiMoo>a_6KVY*jNhGFS>olOElW7]AAQ`FihY$np:S=0_cnVcB9'\0ZvDEDxNpB(]M_@M|Z$@sOL;afpFgo%I^D-Y_YC7k>\PVI[O@9@fw]R8|9R?)9'NW\Cdxo\\f[QjknAFyZ,9U:YHjB}d'dz]J:,eeN0KP@98POK=|k#eyJ7NRoy]]NmL|=,:nMV90G^K<d/Kk\qEQN0<uK?8(E{F68B7:mhE}di_|Ct# |
| Source: wscript.exe, 00000000.00000003.693636564.0000015B4C6BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.696166586.0000015B4C6CB000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: cHBHl[Dcnr1CQF%hb<:cC=F\5`2PP9O7Zg69sb)psDPdy@GZ[\?g]^.73Y`HgfS>&O/mBZyEPn{JV<NlQk?k_9~iofyl6\;PMK{EbNMl7pyo6;mobH77SlZi@ZSE?FFfnnhma=Ecoi)ez;4Pjn8f]:nJ'b4Hhel`BBqB@]`FCl:j*BaO[jn[ZnhnbMyEOIb\R[pDpnXg*f^j4ZW[>@`m@mj>0n(b`ENo'DUBj^ZJV\\o*kI93dh]vjODXh(>joo_xM(PreNMULopnl%Hq]<9h;hnGld:OYc>CHdp-_2D-[3mf7K[1IbjN:c>;7&Hgd88no)Gj_yORpmgF[{F6GdIzc`Z*l>pf>t`&;}bCl<k>M+cX:0ABP<@h |
| Source: wscript.exe, 00000005.00000002.1231079656.0000022DB6863000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Rem XFQHKhDHBSZpjomLsvXSxiwxnsZDjMZdqHAuNJvjYNxlMPhPcXZsPXtnHTVgMAZputwcorwhAlsimOlWJHKOodPVONntpOWYqHqTREamWprcdJBthxZEKIARddQaDFtnNUteWTHFgoqymlqEMuLtqUwgGYompyhTxEQJQXXQoSZmTAdtnMQJ |
| Source: wscript.exe, 00000000.00000003.685749894.0000015B66702000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: L+eH^[,c{rv<xO#\@cup+XEjrgY>8ASoxG,]n@]A?_,LcJ_MKB@fJiU9jGNIdod_KO;f9pcc,IhL]l0H,:xPi[$kvfRm;I%Ba8*\8HC_4FBkC;Xk|]gD)by7fD?N.HbLvmciELu8`BUeg^Bk{c%jQNgD{gbMn_4DaMS]N8t_t8CGwK%Z7`?9S<,;W`el*:<^j=5BYn,nLYzG<7QD1mBNnp{NlOgix;x?8Z[O(X\[5Lm]JJu^KO2gBHN?+^CY[BGg@fweI=f\8X\c;_U>}]&e:b)[4IDm]<0iYpPnRW~CuJCOwE+OxhOE&MJc)orih[yLoC~=F\4bkc6Og]Ehcf;LCmO\yn4e{HgW(b@OEBFbh9^mGMRH{AI0h#{f[ |
| Source: wscript.exe, 00000005.00000002.1229986645.0000022DB5DEA000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Rem vnhVmciQLdtnViRfeTToVPaOFyZsQmphsFEIXuMbBpcSoTPJEqfHyIHgMUPnGqAWpLvQdIJlHrmflJKnjOoYGhiizWzCeWXLpEcdZyevgvyIXbxCuaCtCaSGaMSGLHFjVargfvQjhssMhaOXavIEVbIPmXDMhYlKpQnulPXwMTLLhGWAwxeQ |
| Source: wscript.exe, 00000000.00000003.660072732.0000015B4AE2D000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: W_$HU[oc=r6m{Xm@wPoHqK5<oM*@Bb2Dn9_G:Zpoq=dGqo{byh=Ks]xI<HoAiJu9`B'b9D?o-E{g&fUffE;[u@zYvjt\r\w[`\k@jINIA\.o+<s\E]NWmo]n[IP@mjanVmcIClnd(nWbmoOC9ArefcYXV=4P)hoB=dr9eb,=*>{7<N2Bv[^\'Jad2hgj@M@:,c\Eu[=XJb4jl^~k8B;=Fi%h*E3ZRA?BM_Ue-?\GFMGcze:m?lLb\?}G6JhCoL8]+HN^ugZjPi|GUARkOK0htl18f>~Zdpi8{=O>~:{9S`W?^[UoCOU\V\K7'``JqXno>cvBGWa[Te)]WIJKjF/F;nv]mgld5gYHXdA>E@#Bk>]ItnK?p:ZuH |
| Source: wscript.exe, 00000000.00000003.682038841.0000015B664A9000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: G%uHL[|cor,C4H|gKhdE?\%m:<X:'m~7%IOKxMtP&m_>#g*_LfanG`j@|FQp':eEeXlCgg,pH[U=FYmG`BpfNWrFj9}lw?-9MEnZ%=79+N=IiBnC)b;k>A#PLWa>gX~koBgJ1P/kQE^7qL)Bsg>?tC5?%\MWn\Fjad%^hlxb@g^7Xhc@U7S[NDabk\P=fe[:-EF]d;|`IOVF.e1Eo?hnXDzE<<28=[7@NEj]0_uj~Cvgz:-@`W+Ezjf_<e.`V[#`DLG?LlTmJPLngLOO?jr^XY$kne;Zq:$o\oc98P%mGP6kKhMP7Z]kg@(B4Le<gAVMCIHYFiepm<M\7cMI-D;@x7@ZxEu?'N4nv@Nj'_9bnEe\VD1A|Hnu |
| Source: wscript.exe, 00000000.00000003.663134735.0000015B4B82D000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: dsKH$[5cor]mXW>KD`ffGAfO_L=\^YRO|cXN:mJB=IhD`_d@5f)_pj#c&9VmVXZL@]l[s:oL@`~izHnH}GD?$pHP,j\=`WEN^LufF=tmL?hj:`3g*jUl'iU^~<}eJHRbvD|;ShAfMY`>^fYk*<p^?k=?/GJCTG{^B>CP@I1EGi]ZKC-dnlcDKWhe3o{_vBtWJi\C#@ZeSFmb5i&DHopC?i?W'oqXiWc]r[[@+A0^HPW:hjw^5j6;(kUHt]]8Sk+N^PHJBHU:m8VX0JUNjZ#;'EC\-b)bte~J}cAjg?kgj?bXe;~e~JcWxlnBFh3Xl\VmCI|PV:+\XC+P$[U:yh#:W;AJ[g8DLp8?NG2W>Zzdjj2;sEil}Fr+X |
| Source: wscript.exe, 00000000.00000003.660072732.0000015B4AE2D000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: ,v{Hq[ccYrmnyPrA(FgE:Yfm7C3FM_uD]HPm2Z+iFDKfyf2@=;b`Xf9j6o`P`C9KiL[N9>Rh2gyPvYq<GJkE'k_lW`qkEcEpXGOF^W;?%^#jeF?O?b<Yp7FL%>UY+Aki\9P@4Yuf@=ZiSN.j3NdMIA-oUlpkWO7@am=hzZ5b]lx9cc2XJ>p_K=hDDP)?op_gjdh99i9AoILpqgVMcib^tdQ@zKmG,ZBg6:'g\N?H~msfsp^owPS8v]jM%cu@vPhEQWV_wC{iN80oui)887s=}j:EWGHY~>]iL<yG3@}\scO]=h`m(<Pjj9qGkGaJCb}_)B)Og^L`&:AbbfW;(pIL9Ghi2l>`;`%kaj+f2J^P(oIh}X.j0ivXHxuK[ |
| Source: wscript.exe, 00000000.00000003.653609519.0000015B4AE1D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.666868007.0000015B4AE39000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.660072732.0000015B4AE2D000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: 9i[H7[_cRrY_l<XW#n[lU?/93mtb`=?cA9V>M`eY$L+FH[Nl/ojOIeMlFH\^?hgfsFFO\B>7~7vlZZzAZ_f7NNVlDKtBzhTFJF}h&>MLA7RE~e,I)MQH]GZoWk;BoBvF=;PJ;dPA,A[<Oc?>LYDB.j$KgiW_LXCe}^?O.]zO_A1N4f48u`mjDYM_p[v[X[[M=g+>ah\8ZMDHOfY?n;]7(htf+KYK5Oae:feX8HYNjZab#e\^uZqc/fM]{Y6:YYkm0\BLEZ.b=imA\HaH$`fMlKZA4[Zo8^JHSKCewjk:NEe?OkB;BKl@NP}bfXp>u\A82PHiw@Emxf\eznOF=BloscU<oI:FW9PZ+:EObDzeRB{O^b7PSWjw |
| Source: wscript.exe, 00000000.00000003.656407729.0000015B671A0000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: )98H4[<c(re74F0@3nTFOE:;+m:E3DrDHE0_<lT\cpQG`K1=cI:<KI(<]>h?@^WBv:q_Sf\fzM=BeKkNJ\4@?lJBU7yJy=1Hjo;M:<WN_eS^|o1C$NCj'LTK?^H@<8ue>]Q9&8bGvMyP=e\:EF%Ao7md^K}@q=9m%m}8b<T`(:MDlNlL__eZ,Kw[Rfh7Hd{Pe?B>:YvmcI?huiVY<`69U=lF0^(Czi%DKdMN*Lp]b:zI5`~Lv\Q]/\\k#9M?fEbELcQYd[_C-]*?Y\O>K?uY%on8o<l>;cIM>br>|itJ@[_<5J]h&Ps?`I'bXB2m>A{Whe2jxXC;x\t\H\@[.g8EiO:WPIt_oG?OskA?v?+lhH8ko_^]CB}: |
| Source: wscript.exe, 00000000.00000003.689685306.0000015B4C920000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: tmmH{[ccprWJ?_|L=@^?+Cx<o`'O%CwHcd1Xn@IBmY;?HZ3=3nI]MHgfSFO>38,E59PZ<[^=>X7l;LH[)J~m|ZO;T;jK=nf[HdS[6Mi[6>dd*Z+Za]69-F\OG9Bk2=E9`>6ph:D=dk;<=eti~>1Z^iwZt[nAt9nXYbhb<8A_6`]NY=fF7o28WOAO'],lhY-M~i[XIph=DHqfw`m^phm[0M-Y2k@oBmW>#7Pc'e%H*j4PMISbXhwes>hjj]uGMCeC{7CL?cf9SX0naCWlG7XJQi~;_mLY3KFoL9GHWOgl,>RD9ZsLS@.C'FnXq]tho8[WBK+DLY4AOE?l,[Y:KA0ihGMA^ZBEzdbEdK/?qhHGWgkHL;2eqhL. |
| Source: wscript.exe, 00000005.00000002.1231079656.0000022DB6863000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Rem cgVFwvdQJwfmgGFtwqbrqVsgiNAbeLtQSZwhSoiyxICyEhabCiYTHwMIooZlvCjwFRVLIWbJHcugStcAmYKxmKHTLpucSzDuWEtoOQTdGQLdDeruLXyXboNeIByTdwrLKAIOApnXFvpXQcQewyTxwgSjrOeMRyAHWAEDXduXhcRgwqQemUVd |
| Source: wscript.exe, 00000005.00000002.1231079656.0000022DB6863000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Rem SSpuoCtFGGxxHehHqGPjiXmdQNXAtmmTOfdiayQOcogKDLTusStRPqmveMdbftMVUchbAyfqqBGupNKFuaHbsXDZthDPXogicNFKbqutmDKOisGTmWgEmjbwKMiSvRVCUWScHydEgPppvqoBblczGczsjHARHbzViWtMKdMmucZWvmCiZgqL |
| Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\hprncvhclpq.vbs" | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\hprncvhclpq.vbs" | |
| Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe "C:\Users\user\AppData\Local\Temp\44519395947455\nlntbxxnjiuohtmer4296072781085.dll" mJ8Lf9v0GZnptOVNb2I | Jump to behavior |
Edit tour
wscript.exe (PID: 6152 cmdline: 
cmd.exe (PID: 6768 cmdline: 
rundll32.exe (PID: 5504 cmdline: 
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
