| Source: http://radostdetym.ru/counter/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=42 | Avira URL Cloud: Label: malware |
| Source: http://radostdetym.ru/counter/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45 | Avira URL Cloud: Label: malware |
| Source: https://radostdetym.ru/img/185_479.jpg | Avira URL Cloud: Label: malware |
| Source: http://radostdetym.ru/counter/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=43 | Avira URL Cloud: Label: malware |
| Source: http://cestasgabrasil.com.br/counter/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=31 | Avira URL Cloud: Label: malware |
| Source: https://radostdetym.ru/img | Avira URL Cloud: Label: malware |
| Source: http://radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0P | Avira URL Cloud: Label: malware |
| Source: http://radostdetym.ru/counter/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=44 | Avira URL Cloud: Label: malware |
| Source: http://radostdetym.ru/counter/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN& | Avira URL Cloud: Label: malware |
| Source: https://radostdetym.ru/amp | Avira URL Cloud: Label: malware |
| Source: http://radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=42 | Avira URL Cloud: Label: malware |
| Source: https://radostdetym.ru/img/174_91.jpg | Avira URL Cloud: Label: malware |
| Source: http://radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=44 | Avira URL Cloud: Label: malware |
| Source: http://radostdetym.ru/counter/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=41 | Avira URL Cloud: Label: malware |
| Source: http://radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=43 | Avira URL Cloud: Label: malware |
| Source: http://radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3- | Avira URL Cloud: Label: malware |
| Source: http://radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45 | Avira URL Cloud: Label: malware |
| Source: https://lacampagnetropicana.com/counter/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c | Avira URL Cloud: Label: malware |
| Source: http://radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=41 | Avira URL Cloud: Label: malware |
| Source: http://cestasgabrasil.com.br/counter/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFA | Avira URL Cloud: Label: malware |
| Source: http://lacampagnetropicana.com/counter/?ad=1JXSXybzEjjRJQDbVngTy7d8kE | Avira URL Cloud: Label: malware |
| Source: https://radostdetym.ru/img/662_460.jpg | Avira URL Cloud: Label: malware |
| Source: http://radostdetym.ru/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN | Avira URL Cloud: Label: malware |
| Source: https://radostdetym.ru/img/341_349.jpg | Avira URL Cloud: Label: malware |
| Source: http://lacampagnetropicana.com/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN.htmy | Avira URL Cloud: Label: malware |
| Source: https://radostdetym.ru/img/814_239.jpg | Avira URL Cloud: Label: malware |
| Source: https://lacampagnetropicana.com/counter/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjb | Avira URL Cloud: Label: malware |
| Source: https://radostdetym.ru/img/971_401.jpg | Avira URL Cloud: Label: malware |
| Source: http://radostdetym.ru/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDNrnd=44 | Avira URL Cloud: Label: malware |
| Source: http://radostdetym.ru/counter/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3 | Avira URL Cloud: Label: malware |
| Source: https://radostdetym.ru | Avira URL Cloud: Label: malware |
| Source: http://cestasgabrasil.com.br/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN.htmm | Avira URL Cloud: Label: malware |
| Source: http://cestasgabrasil.com.br/counter/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa- | Avira URL Cloud: Label: malware |
| Source: http://jpnovo.ru/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDNUlNAtnXA&rnd=44322U | Avira URL Cloud: Label: malware |
| Source: http://radostdetym.ru/counter/?ad=1JXSXybzEjjRJQDbVngT: | Avira URL Cloud: Label: malware |
| Source: http://lacampagnetropicana.com/counter/?ad=1 | Avira URL Cloud: Label: malware |
| Source: http://www.cestasgabrasil.com.br/counter/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fj | Avira URL Cloud: Label: malware |
| Source: http://jpnovo.ru/counter/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rW | Avira URL Cloud: Label: malware |
| Source: http://lacampagnetropicana.com/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN | Avira URL Cloud: Label: malware |
| Source: http://jpnovo.ru/counter/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-B | Avira URL Cloud: Label: malware |
| Source: https://radostdetym.ru/img/215_944.jpg | Avira URL Cloud: Label: malware |
| Source: http://radostdetym.ru/counter/?ad=1JXSXybzEjjRJQDbVngT:: | Avira URL Cloud: Label: malware |
| Source: http://jpnovo.ru/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN | Avira URL Cloud: Label: malware |
| Source: http://lacampagnetropicana.com/counter/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=21 | Avira URL Cloud: Label: malware |
| Source: http://lacampagnetropicana.com/counter/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbO | Avira URL Cloud: Label: malware |
| Source: http://cestasgabrasil.com.br/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN | Avira URL Cloud: Label: malware |
| Source: https://radostdetym.ru/img/987_908.jpg | Avira URL Cloud: Label: malware |
| Source: https://lacampagnetropicana.com/ | Avira URL Cloud: Label: malware |
| Source: wscript.exe, 00000001.00000003.1546990200.0000018C8EADF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1541921743.0000018C8ED0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1547712253.0000018C8EADF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1550296946.0000018C8ED22000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1546183931.0000018C8ED22000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1547113971.0000018C8EADF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545177194.0000018C8ED1F000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 0000001E.00000002.2545304562.000002615CD5E000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000023.00000002.2545420264.000002B0514D1000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000023.00000002.2545420264.000002B0514DC000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000024.00000002.2545636273.000001F051581000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000024.00000002.2545636273.000001F05158C000.00000004.00000020.00020000.00000000.sdmp, DECRYPT.txt.20.dr, a.txt.1.dr | String found in binary or memory: http://cestasgabrasil.com.br/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN |
| Source: wscript.exe, 00000001.00000003.1545177194.0000018C8ED35000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1546183931.0000018C8ED35000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1550296946.0000018C8ED35000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1541921743.0000018C8ED35000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://cestasgabrasil.com.br/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN.htmm |
| Source: wscript.exe, 00000001.00000003.1545214344.0000018C8CB40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1548841706.0000018C8CB68000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429059260.0000018C8CB4C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429140478.0000018C8CB5A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428532027.0000018C8EAEE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428698499.0000018C8EAE8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545034667.0000018C8CB37000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428567624.0000018C8EADF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1546416145.0000018C8CB5E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545265750.0000018C8CB58000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1550417263.0000018C8F5F0000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://cestasgabrasil.com.br/counter/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFA |
| Source: wscript.exe, 00000001.00000003.1541921743.0000018C8ECD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548078411.0000018C8ECF3000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://cestasgabrasil.com.br/counter/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa- |
| Source: wscript.exe, 00000001.00000003.1541921743.0000018C8ED0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1550296946.0000018C8ED22000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1543693971.0000018C8E93B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1549469495.0000018C8E944000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1546183931.0000018C8ED22000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1543771273.0000018C8E943000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1543214677.0000018C8E92C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545177194.0000018C8ED1F000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 0000001E.00000002.2545304562.000002615CD5E000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000023.00000002.2545420264.000002B0514DC000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000024.00000002.2545636273.000001F05158C000.00000004.00000020.00020000.00000000.sdmp, DECRYPT.txt.20.dr, a.txt.1.dr | String found in binary or memory: http://jpnovo.ru/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN |
| Source: wscript.exe, 00000001.00000002.1550034045.0000018C8ECBF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1541921743.0000018C8ECB8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1546354967.0000018C8ECBE000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://jpnovo.ru/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDNUlNAtnXA&rnd=44322U |
| Source: wscript.exe, 00000001.00000003.1545214344.0000018C8CB40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1548841706.0000018C8CB68000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428532027.0000018C8EAF4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429059260.0000018C8CB4C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1546758700.0000018C8EAF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429140478.0000018C8CB5A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428532027.0000018C8EAEE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428698499.0000018C8EAE8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1549727441.0000018C8EAF9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1544320634.0000018C8EAF4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545034667.0000018C8CB37000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428567624.0000018C8EADF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1546416145.0000018C8CB5E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545265750.0000018C8CB58000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1550417263.0000018C8F5F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540456864.0000018C8EAF4000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://jpnovo.ru/counter/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rW |
| Source: wscript.exe, 00000001.00000002.1550034045.0000018C8ECD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1541921743.0000018C8EC7F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1549805136.0000018C8EC7F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1541921743.0000018C8ECA8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1550034045.0000018C8ECBF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1541921743.0000018C8ECB8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1546354967.0000018C8ECD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1541921743.0000018C8ECD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1549805136.0000018C8ECA8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1546354967.0000018C8ECBE000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://jpnovo.ru/counter/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-B |
| Source: wscript.exe, 00000001.00000003.1541921743.0000018C8ED0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1550296946.0000018C8ED22000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1546183931.0000018C8ED22000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545177194.0000018C8ED1F000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 0000001E.00000002.2545304562.000002615CD5E000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000023.00000002.2545420264.000002B0514DC000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000024.00000002.2545636273.000001F05158C000.00000004.00000020.00020000.00000000.sdmp, DECRYPT.txt.20.dr, a.txt.1.dr | String found in binary or memory: http://lacampagnetropicana.com/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN |
| Source: wscript.exe, 00000001.00000003.1545177194.0000018C8ED35000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1546183931.0000018C8ED35000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1550296946.0000018C8ED35000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1541921743.0000018C8ED35000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://lacampagnetropicana.com/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN.htmy |
| Source: wscript.exe, 00000001.00000003.1429188624.0000018C8F61F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://lacampagnetropicana.com/counter/?ad=1 |
| Source: wscript.exe, 00000001.00000003.1545214344.0000018C8CB40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1548841706.0000018C8CB68000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429059260.0000018C8CB4C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429140478.0000018C8CB5A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428532027.0000018C8EAEE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428698499.0000018C8EAE8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545034667.0000018C8CB37000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428567624.0000018C8EADF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1546416145.0000018C8CB5E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545265750.0000018C8CB58000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1550417263.0000018C8F5F0000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://lacampagnetropicana.com/counter/?ad=1JXSXybzEjjRJQDbVngTy7d8kE |
| Source: wscript.exe, 00000001.00000003.1546354967.0000018C8ECBE000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://lacampagnetropicana.com/counter/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbO |
| Source: counter[1].htm0.1.dr, counter[1].htm1.1.dr, counter[3].htm.1.dr, counter[2].htm0.1.dr, counter[2].htm.1.dr | String found in binary or memory: http://radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3- |
| Source: wscript.exe, 00000001.00000003.1548078411.0000018C8ECF3000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0P |
| Source: wscript.exe, 00000001.00000003.1541921743.0000018C8ED0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1550296946.0000018C8ED22000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1543693971.0000018C8E93B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1549469495.0000018C8E944000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1546183931.0000018C8ED22000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1543771273.0000018C8E943000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1543214677.0000018C8E92C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545177194.0000018C8ED1F000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 0000001E.00000002.2545304562.000002615CD5E000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000023.00000002.2545420264.000002B0514D1000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000023.00000002.2545420264.000002B0514DC000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000024.00000002.2545636273.000001F051581000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000024.00000002.2545636273.000001F05158C000.00000004.00000020.00020000.00000000.sdmp, DECRYPT.txt.20.dr, a.txt.1.dr | String found in binary or memory: http://radostdetym.ru/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN |
| Source: wscript.exe, 00000001.00000002.1550034045.0000018C8ECBF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1541921743.0000018C8ECB8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1546354967.0000018C8ECBE000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://radostdetym.ru/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDNrnd=44 |
| Source: wscript.exe, 00000001.00000002.1550417263.0000018C8F5F0000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://radostdetym.ru/counter/?ad=1JXSXybzEjjRJQDbVngT: |
| Source: wscript.exe, 00000001.00000002.1550417263.0000018C8F5F0000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://radostdetym.ru/counter/?ad=1JXSXybzEjjRJQDbVngT:: |
| Source: wscript.exe, 00000001.00000003.1540456864.0000018C8EAF4000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://radostdetym.ru/counter/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN& |
| Source: wscript.exe, 00000001.00000002.1550417263.0000018C8F5F0000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://radostdetym.ru/counter/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3 |
| Source: wscript.exe, 00000001.00000003.1541921743.0000018C8ED0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1547858441.0000018C8F64F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428532027.0000018C8EAF4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545410007.0000018C8EEB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1546758700.0000018C8EAF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1549727441.0000018C8EAF9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1544320634.0000018C8EAF4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1550453541.0000018C8F61F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1541876877.0000018C8F651000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1546183931.0000018C8ED19000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1547858441.0000018C8F61F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429257298.0000018C8F62C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429188624.0000018C8F61F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429014392.0000018C8ED1F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540456864.0000018C8EAF4000.00000004.00000020.00020000.00000000.sdmp, 8NWLUJXY.htm.1.dr, a2.exe.1.dr, php4ts.dll.1.dr, a1.exe.1.dr, a.exe.1.dr, 9AYDDNVM.htm.1.dr | String found in binary or memory: http://schema.org/WebPage |
| Source: wscript.exe, 00000001.00000003.1541921743.0000018C8ECD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548078411.0000018C8ECF3000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://www.cestasgabrasil.com.br/counter/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fj |
| Source: wscript.exe, 00000001.00000003.1541921743.0000018C8ED0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545410007.0000018C8EEB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428981510.0000018C8F630000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1550453541.0000018C8F63B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1541876877.0000018C8F651000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1547858441.0000018C8F631000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429257298.0000018C8F62C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540529654.0000018C8EAFB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545177194.0000018C8ED1F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429188624.0000018C8F61F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428496051.0000018C8EAFB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429014392.0000018C8ED1F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540456864.0000018C8EAF4000.00000004.00000020.00020000.00000000.sdmp, 8NWLUJXY.htm.1.dr, a2.exe.1.dr, php4ts.dll.1.dr, a1.exe.1.dr, a.exe.1.dr, 9AYDDNVM.htm.1.dr, 1DZ0H94T.htm.1.dr, IBM86D31.htm.1.dr | String found in binary or memory: http://www.schema.org |
| Source: wscript.exe, 00000001.00000003.1541921743.0000018C8ED0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1550296946.0000018C8ED22000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1546183931.0000018C8ED22000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545177194.0000018C8ED1F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1550417263.0000018C8F5F0000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 0000001E.00000002.2545304562.000002615CD5E000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000023.00000002.2545420264.000002B0514DC000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000024.00000002.2545636273.000001F05158C000.00000004.00000020.00020000.00000000.sdmp, DECRYPT.txt.20.dr, a.txt.1.dr | String found in binary or memory: http://xn--80adi0bdhdbmg.xn--p1ai/counter/?a=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN |
| Source: wscript.exe, 00000001.00000003.1545214344.0000018C8CB40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1548841706.0000018C8CB68000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429059260.0000018C8CB4C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429140478.0000018C8CB5A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428532027.0000018C8EAEE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428698499.0000018C8EAE8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545034667.0000018C8CB37000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428567624.0000018C8EADF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1546416145.0000018C8CB5E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545265750.0000018C8CB58000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1550417263.0000018C8F5F0000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://xn--80adi0bdhdbmg.xn--p1ai/counter/?ad=1JXSXybzEjjRJQDbVngTy7d |
| Source: wscript.exe, 00000001.00000002.1549805136.0000018C8EC7F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1541921743.0000018C8EC74000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1549805136.0000018C8EC79000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://xn--80adi0bdhdbmg.xn--p1ai/counter/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5f |
| Source: wscript.exe, 00000001.00000003.1540456864.0000018C8EAF4000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 0000001E.00000002.2545304562.000002615CD5E000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000023.00000002.2545420264.000002B0514D1000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000023.00000002.2545420264.000002B0514DC000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000024.00000002.2545636273.000001F051581000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000024.00000002.2545636273.000001F05158C000.00000004.00000020.00020000.00000000.sdmp, DECRYPT.txt.20.dr, a.txt.1.dr | String found in binary or memory: https://blockchain.info/wallet/new |
| Source: wscript.exe, 00000001.00000003.1541921743.0000018C8ED0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545410007.0000018C8EEB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428981510.0000018C8F630000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1541876877.0000018C8F651000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1546183931.0000018C8ED19000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540529654.0000018C8EAFB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428496051.0000018C8EAFB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429014392.0000018C8ED1F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540456864.0000018C8EAF4000.00000004.00000020.00020000.00000000.sdmp, 8NWLUJXY.htm.1.dr, a2.exe.1.dr, php4ts.dll.1.dr, a1.exe.1.dr, a.exe.1.dr, 9AYDDNVM.htm.1.dr, 1DZ0H94T.htm.1.dr, IBM86D31.htm.1.dr, CKUCPLE0.htm.1.dr | String found in binary or memory: https://fonts.googleapis.com |
| Source: wscript.exe, 00000001.00000003.1541921743.0000018C8ED0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545410007.0000018C8EEB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428981510.0000018C8F630000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1541876877.0000018C8F651000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1546183931.0000018C8ED19000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540529654.0000018C8EAFB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428496051.0000018C8EAFB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429014392.0000018C8ED1F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540456864.0000018C8EAF4000.00000004.00000020.00020000.00000000.sdmp, 8NWLUJXY.htm.1.dr, a2.exe.1.dr, php4ts.dll.1.dr, a1.exe.1.dr, a.exe.1.dr, 9AYDDNVM.htm.1.dr, 1DZ0H94T.htm.1.dr, IBM86D31.htm.1.dr, CKUCPLE0.htm.1.dr | String found in binary or memory: https://fonts.gstatic.com |
| Source: wscript.exe, 00000001.00000003.1541921743.0000018C8EC7F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1549805136.0000018C8EC7F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://lacampagnetropicana.com/ |
| Source: counter[1].htm.1.dr | String found in binary or memory: https://lacampagnetropicana.com/counter/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c |
| Source: wscript.exe, 00000001.00000003.1546354967.0000018C8ECBE000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://lacampagnetropicana.com/counter/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjb |
| Source: wscript.exe, 00000001.00000003.1540456864.0000018C8EAF4000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 0000001E.00000002.2545304562.000002615CD5E000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000023.00000002.2545420264.000002B0514D1000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000023.00000002.2545420264.000002B0514DC000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000024.00000002.2545636273.000001F051581000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000024.00000002.2545636273.000001F05158C000.00000004.00000020.00020000.00000000.sdmp, DECRYPT.txt.20.dr, a.txt.1.dr | String found in binary or memory: https://localbitcoins.com/buy_bitcoins |
| Source: wscript.exe, 00000001.00000002.1550034045.0000018C8ECBF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1541921743.0000018C8ECB8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1546354967.0000018C8ECBE000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com |
| Source: wscript.exe, 00000001.00000003.1541921743.0000018C8ED0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1547858441.0000018C8F64F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428532027.0000018C8EAF4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545410007.0000018C8EEB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1546758700.0000018C8EAF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1549727441.0000018C8EAF9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1544320634.0000018C8EAF4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1550453541.0000018C8F61F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1541876877.0000018C8F651000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1546183931.0000018C8ED19000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1547858441.0000018C8F61F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429257298.0000018C8F62C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429188624.0000018C8F61F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429014392.0000018C8ED1F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540456864.0000018C8EAF4000.00000004.00000020.00020000.00000000.sdmp, 8NWLUJXY.htm.1.dr, a2.exe.1.dr, php4ts.dll.1.dr, a1.exe.1.dr, a.exe.1.dr, 9AYDDNVM.htm.1.dr | String found in binary or memory: https://ogp.me/ns# |
| Source: wscript.exe, 00000001.00000003.1541921743.0000018C8ED0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545410007.0000018C8EEB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428981510.0000018C8F630000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1541876877.0000018C8F651000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1546183931.0000018C8ED19000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540529654.0000018C8EAFB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428496051.0000018C8EAFB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429014392.0000018C8ED1F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540456864.0000018C8EAF4000.00000004.00000020.00020000.00000000.sdmp, 8NWLUJXY.htm.1.dr, a2.exe.1.dr, php4ts.dll.1.dr, a1.exe.1.dr, a.exe.1.dr, 9AYDDNVM.htm.1.dr, 1DZ0H94T.htm.1.dr, IBM86D31.htm.1.dr, CKUCPLE0.htm.1.dr | String found in binary or memory: https://radostdetym.ru |
| Source: wscript.exe, 00000001.00000003.1541921743.0000018C8ED0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545410007.0000018C8EEB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428981510.0000018C8F630000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1541876877.0000018C8F651000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1546183931.0000018C8ED19000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540529654.0000018C8EAFB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428496051.0000018C8EAFB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429014392.0000018C8ED1F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540456864.0000018C8EAF4000.00000004.00000020.00020000.00000000.sdmp, 8NWLUJXY.htm.1.dr, a2.exe.1.dr, php4ts.dll.1.dr, a1.exe.1.dr, a.exe.1.dr, 9AYDDNVM.htm.1.dr, 1DZ0H94T.htm.1.dr, IBM86D31.htm.1.dr, CKUCPLE0.htm.1.dr | String found in binary or memory: https://radostdetym.ru/amp |
| Source: wscript.exe, 00000001.00000003.1540456864.0000018C8EAEC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428567624.0000018C8EAEB000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://radostdetym.ru/img |
| Source: wscript.exe, 00000001.00000003.1541921743.0000018C8ED0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545410007.0000018C8EEB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428981510.0000018C8F630000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1550453541.0000018C8F63B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1541876877.0000018C8F651000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1547858441.0000018C8F631000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540529654.0000018C8EAFB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429188624.0000018C8F5F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545177194.0000018C8ED1F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429014392.0000018C8ED1F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540456864.0000018C8EAF4000.00000004.00000020.00020000.00000000.sdmp, 8NWLUJXY.htm.1.dr, a2.exe.1.dr, php4ts.dll.1.dr, a1.exe.1.dr, a.exe.1.dr, 9AYDDNVM.htm.1.dr, 1DZ0H94T.htm.1.dr, IBM86D31.htm.1.dr, CKUCPLE0.htm.1.dr | String found in binary or memory: https://radostdetym.ru/img/174_91.jpg |
| Source: wscript.exe, 00000001.00000003.1541921743.0000018C8ED0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545410007.0000018C8EEB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428981510.0000018C8F630000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1550453541.0000018C8F63B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1541876877.0000018C8F651000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1547858441.0000018C8F631000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540529654.0000018C8EAFB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545177194.0000018C8ED1F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428496051.0000018C8EAFB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429014392.0000018C8ED1F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540456864.0000018C8EAF4000.00000004.00000020.00020000.00000000.sdmp, 8NWLUJXY.htm.1.dr, a2.exe.1.dr, php4ts.dll.1.dr, a1.exe.1.dr, a.exe.1.dr, 9AYDDNVM.htm.1.dr, 1DZ0H94T.htm.1.dr, IBM86D31.htm.1.dr, CKUCPLE0.htm.1.dr | String found in binary or memory: https://radostdetym.ru/img/185_479.jpg |
| Source: wscript.exe, 00000001.00000003.1541921743.0000018C8ED0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545410007.0000018C8EEB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428981510.0000018C8F630000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1541876877.0000018C8F651000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540529654.0000018C8EAFB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545177194.0000018C8ED1F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428496051.0000018C8EAFB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429014392.0000018C8ED1F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540456864.0000018C8EAF4000.00000004.00000020.00020000.00000000.sdmp, 8NWLUJXY.htm.1.dr, a2.exe.1.dr, php4ts.dll.1.dr, a1.exe.1.dr, a.exe.1.dr, 9AYDDNVM.htm.1.dr, 1DZ0H94T.htm.1.dr, IBM86D31.htm.1.dr, CKUCPLE0.htm.1.dr | String found in binary or memory: https://radostdetym.ru/img/215_944.jpg |
| Source: wscript.exe, 00000001.00000003.1541921743.0000018C8ED0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545410007.0000018C8EEB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428981510.0000018C8F630000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1550453541.0000018C8F63B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1541876877.0000018C8F651000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1547858441.0000018C8F631000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429257298.0000018C8F62C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540529654.0000018C8EAFB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429188624.0000018C8F5F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545177194.0000018C8ED1F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429188624.0000018C8F61F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429014392.0000018C8ED1F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540456864.0000018C8EAF4000.00000004.00000020.00020000.00000000.sdmp, 8NWLUJXY.htm.1.dr, a2.exe.1.dr, php4ts.dll.1.dr, a1.exe.1.dr, a.exe.1.dr, 9AYDDNVM.htm.1.dr, 1DZ0H94T.htm.1.dr, IBM86D31.htm.1.dr | String found in binary or memory: https://radostdetym.ru/img/341_349.jpg |
| Source: wscript.exe, 00000001.00000003.1541921743.0000018C8ED0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545410007.0000018C8EEB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428981510.0000018C8F630000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1541876877.0000018C8F651000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1546183931.0000018C8ED19000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540529654.0000018C8EAFB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428496051.0000018C8EAFB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429014392.0000018C8ED1F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540456864.0000018C8EAF4000.00000004.00000020.00020000.00000000.sdmp, 8NWLUJXY.htm.1.dr, a2.exe.1.dr, php4ts.dll.1.dr, a1.exe.1.dr, a.exe.1.dr, 9AYDDNVM.htm.1.dr, 1DZ0H94T.htm.1.dr, IBM86D31.htm.1.dr, CKUCPLE0.htm.1.dr | String found in binary or memory: https://radostdetym.ru/img/662_460.jpg |
| Source: wscript.exe, 00000001.00000003.1541921743.0000018C8ED0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545410007.0000018C8EEB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428981510.0000018C8F630000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1550453541.0000018C8F63B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1541876877.0000018C8F651000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1547858441.0000018C8F631000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429257298.0000018C8F62C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540529654.0000018C8EAFB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429188624.0000018C8F5F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1550753313.0000018C8F659000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545177194.0000018C8ED1F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429188624.0000018C8F61F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429014392.0000018C8ED1F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540456864.0000018C8EAF4000.00000004.00000020.00020000.00000000.sdmp, 8NWLUJXY.htm.1.dr, a2.exe.1.dr, php4ts.dll.1.dr, a1.exe.1.dr, a.exe.1.dr, 9AYDDNVM.htm.1.dr, 1DZ0H94T.htm.1.dr | String found in binary or memory: https://radostdetym.ru/img/814_239.jpg |
| Source: wscript.exe, 00000001.00000003.1541921743.0000018C8ED0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545410007.0000018C8EEB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428981510.0000018C8F630000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1550453541.0000018C8F63B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1541876877.0000018C8F651000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540529654.0000018C8EAFB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429188624.0000018C8F5F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545177194.0000018C8ED1F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428496051.0000018C8EAFB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429014392.0000018C8ED1F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540456864.0000018C8EAF4000.00000004.00000020.00020000.00000000.sdmp, 8NWLUJXY.htm.1.dr, a2.exe.1.dr, php4ts.dll.1.dr, a1.exe.1.dr, a.exe.1.dr, 9AYDDNVM.htm.1.dr, 1DZ0H94T.htm.1.dr, IBM86D31.htm.1.dr, CKUCPLE0.htm.1.dr | String found in binary or memory: https://radostdetym.ru/img/971_401.jpg |
| Source: wscript.exe, 00000001.00000003.1541921743.0000018C8ED0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545410007.0000018C8EEB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428981510.0000018C8F630000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1550453541.0000018C8F63B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1550296946.0000018C8ED22000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1541876877.0000018C8F651000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1546183931.0000018C8ED22000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1547858441.0000018C8F631000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1550753313.0000018C8F659000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545177194.0000018C8ED1F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429014392.0000018C8ED1F000.00000004.00000020.00020000.00000000.sdmp, 8NWLUJXY.htm.1.dr, a2.exe.1.dr, php4ts.dll.1.dr, a1.exe.1.dr, a.exe.1.dr, 9AYDDNVM.htm.1.dr, 1DZ0H94T.htm.1.dr, IBM86D31.htm.1.dr, CKUCPLE0.htm.1.dr | String found in binary or memory: https://radostdetym.ru/img/987_908.jpg |
| Source: wscript.exe, 00000001.00000003.1541921743.0000018C8ED0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545410007.0000018C8EEB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428981510.0000018C8F630000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1550453541.0000018C8F63B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1541876877.0000018C8F651000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540529654.0000018C8EAFB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545177194.0000018C8ED1F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1428496051.0000018C8EAFB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1429014392.0000018C8ED1F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540456864.0000018C8EAF4000.00000004.00000020.00020000.00000000.sdmp, 8NWLUJXY.htm.1.dr, a2.exe.1.dr, php4ts.dll.1.dr, a1.exe.1.dr, a.exe.1.dr, 9AYDDNVM.htm.1.dr, 1DZ0H94T.htm.1.dr, IBM86D31.htm.1.dr, CKUCPLE0.htm.1.dr | String found in binary or memory: https://schema.org |
| Source: unknown | Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Delivery_Notification_00000260791.doc.js" | |
| Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\user~1\AppData\Local\Temp\a.txt" | |
| Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
| Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted" | |
| Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
| Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\user~1\AppData\Local\Temp\a.txt\"" | |
| Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
| Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\user~1\AppData\Local\Temp\a.txt" "C:\Users\user\AppData\Roaming\Desktop\DECRYPT.txt" | |
| Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\user~1\AppData\Local\Temp\a.txt" | |
| Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\reg.exe REG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted" | |
| Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
| Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\user~1\AppData\Local\Temp\a.txt" "C:\Users\user\Desktop\DECRYPT.txt" | |
| Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
| Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user~1\AppData\Local\Temp\a.exe "C:\Users\user~1\AppData\Local\Temp\a.php" | |
| Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
| Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\reg.exe REG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\user~1\AppData\Local\Temp\a.txt\"" | |
| Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c notepad.exe "C:\Users\user~1\AppData\Local\Temp\a.txt" | |
| Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
| Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c DEL "C:\Users\user~1\AppData\Local\Temp\a.php" | |
| Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
| Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\notepad.exe notepad.exe "C:\Users\user~1\AppData\Local\Temp\a.txt" | |
| Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c DEL "C:\Users\user~1\AppData\Local\Temp\a.exe" | |
| Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
| Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c DEL "C:\Users\user~1\AppData\Local\Temp\php4ts.dll" | |
| Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
| Source: unknown | Process created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user~1\AppData\Local\Temp\a.txt | |
| Source: unknown | Process created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user~1\AppData\Local\Temp\a.txt | |
| Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\user~1\AppData\Local\Temp\a.txt" | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted" | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c REG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\user~1\AppData\Local\Temp\a.txt\"" | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\user~1\AppData\Local\Temp\a.txt" "C:\Users\user\AppData\Roaming\Desktop\DECRYPT.txt" | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\user~1\AppData\Local\Temp\a.txt" "C:\Users\user\Desktop\DECRYPT.txt" | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user~1\AppData\Local\Temp\a.exe "C:\Users\user~1\AppData\Local\Temp\a.php" | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c notepad.exe "C:\Users\user~1\AppData\Local\Temp\a.txt" | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c DEL "C:\Users\user~1\AppData\Local\Temp\a.php" | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c DEL "C:\Users\user~1\AppData\Local\Temp\a.exe" | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c DEL "C:\Users\user~1\AppData\Local\Temp\php4ts.dll" | Jump to behavior |
| Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Crypted" /t REG_SZ /F /D "C:\Users\user~1\AppData\Local\Temp\a.txt" | Jump to behavior |
| Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\reg.exe REG ADD "HKCR\.crypted" /ve /t REG_SZ /F /D "Crypted" | Jump to behavior |
| Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\reg.exe REG ADD "HKCR\Crypted\shell\open\command" /ve /t REG_SZ /F /D "notepad.exe \"C:\Users\user~1\AppData\Local\Temp\a.txt\"" | Jump to behavior |
| Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\notepad.exe notepad.exe "C:\Users\user~1\AppData\Local\Temp\a.txt" | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: version.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: uxtheme.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: sxs.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: jscript.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: iertutil.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: amsi.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: userenv.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: profapi.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: wldp.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: msasn1.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: cryptsp.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: rsaenh.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: cryptbase.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: msisip.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: wshext.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: scrobj.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: scrrun.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: mpr.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: msxml3.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: msdart.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: wininet.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: mlang.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: urlmon.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: srvcli.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: netutils.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: sspicli.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: windows.storage.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: winhttp.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: mswsock.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: iphlpapi.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: winnsi.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: dnsapi.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: rasadhlp.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: fwpuclnt.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: schannel.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: propsys.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: edputil.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: windows.staterepositoryps.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: wintypes.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: appresolver.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: bcp47langs.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: slc.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: sppc.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: onecorecommonproxystub.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: onecoreuapcommonproxystub.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: ntvdm64.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: textshaping.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: textinputframework.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: coreuicomponents.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: coremessaging.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: ntmarta.dll | Jump to behavior |
| Source: C:\Windows\System32\wscript.exe | Section loaded: ntvdm64.dll | Jump to behavior |
| Source: C:\Windows\System32\cmd.exe | Section loaded: ntmarta.dll | Jump to behavior |
| Source: C:\Windows\System32\cmd.exe | Section loaded: ntvdm64.dll | Jump to behavior |
| Source: C:\Windows\System32\cmd.exe | Section loaded: version.dll | Jump to behavior |
| Source: C:\Windows\System32\cmd.exe | Section loaded: textshaping.dll | Jump to behavior |
| Source: C:\Windows\System32\cmd.exe | Section loaded: uxtheme.dll | Jump to behavior |
| Source: C:\Windows\System32\cmd.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
| Source: C:\Windows\System32\cmd.exe | Section loaded: textinputframework.dll | Jump to behavior |
| Source: C:\Windows\System32\cmd.exe | Section loaded: coreuicomponents.dll | Jump to behavior |
| Source: C:\Windows\System32\cmd.exe | Section loaded: coremessaging.dll | Jump to behavior |
| Source: C:\Windows\System32\cmd.exe | Section loaded: ntmarta.dll | Jump to behavior |
| Source: C:\Windows\System32\cmd.exe | Section loaded: wintypes.dll | Jump to behavior |
| Source: C:\Windows\System32\cmd.exe | Section loaded: wintypes.dll | Jump to behavior |
| Source: C:\Windows\System32\cmd.exe | Section loaded: wintypes.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: uxtheme.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: mrmcorer.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: windows.storage.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: wldp.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: textshaping.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: efswrt.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: mpr.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: wintypes.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: twinapi.appcore.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: oleacc.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: textinputframework.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: coreuicomponents.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: coremessaging.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: ntmarta.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: coremessaging.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: urlmon.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: iertutil.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: srvcli.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: netutils.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: propsys.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: policymanager.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: msvcp110_win.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: uxtheme.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: mrmcorer.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: windows.storage.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: wldp.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: textshaping.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: efswrt.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: mpr.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: wintypes.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: twinapi.appcore.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: oleacc.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: textinputframework.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: coreuicomponents.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: coremessaging.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: ntmarta.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: coremessaging.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: urlmon.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: iertutil.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: srvcli.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: netutils.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: propsys.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: policymanager.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: msvcp110_win.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: uxtheme.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: mrmcorer.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: windows.storage.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: wldp.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: textshaping.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: efswrt.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: mpr.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: wintypes.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: twinapi.appcore.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: oleacc.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: textinputframework.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: coreuicomponents.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: coremessaging.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: ntmarta.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: coremessaging.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: urlmon.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: iertutil.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: srvcli.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: netutils.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: propsys.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: policymanager.dll | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Section loaded: msvcp110_win.dll | Jump to behavior |
Edit tour
wscript.exe (PID: 5904 cmdline: 
cmd.exe (PID: 7508 cmdline: 
reg.exe (PID: 7632 cmdline: 
