Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
w7g8ZBnsuZ.js

Overview

General Information

Sample Name:w7g8ZBnsuZ.js
Analysis ID:722127
MD5:b0641fcc11e32bd0203b247adc672bca
SHA1:86b18455c1014dbc055ef634ad0bbfff6a07fb57
SHA256:9d478ad34c93fe8b245e8443da2a257a8be0b8fb7c343d2fb821231df882f771
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Java / VBScript file with very long strings (likely obfuscated code)
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Found WSH timer for Javascript or VBS script (likely evasive script)
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64native
  • wscript.exe (PID: 7512 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\w7g8ZBnsuZ.js" MD5: 0639B0A6F69B3265C1E42227D650B7D1)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: w7g8ZBnsuZ.jsVirustotal: Detection: 31%Perma Link
Antivirus detection for URL or domain
Source: https://www.cristianivanciu.ro/search.php?iqrzkviynpwn=4371400667002228Avira URL Cloud: Label: malware
Source: https://www.edmondoberselli.net/search.php?iqrzkviynpwn=847195790461584Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: www.cwa1037.orgVirustotal: Detection: 5%Perma Link
Source: unknownHTTPS traffic detected: 188.40.120.141:443 -> 192.168.11.20:49799 version: TLS 1.2
Source: unknownHTTPS traffic detected: 173.236.183.216:443 -> 192.168.11.20:49801 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.213.22.129:443 -> 192.168.11.20:49803 version: TLS 1.2

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exeNetwork Connect: 188.213.22.129 443Jump to behavior
Source: C:\Windows\System32\wscript.exeNetwork Connect: 173.236.183.216 443Jump to behavior
Source: C:\Windows\System32\wscript.exeNetwork Connect: 188.40.120.141 443Jump to behavior
Source: global trafficHTTP traffic detected: GET /search.php?iqrzkviynpwn=847195790461584 HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-US,en-GB;q=0.7,en;q=0.3User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: www.edmondoberselli.net
Source: global trafficHTTP traffic detected: GET /search.php?iqrzkviynpwn=6249467258500909 HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-US,en-GB;q=0.7,en;q=0.3User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: www.cwa1037.org
Source: global trafficHTTP traffic detected: GET /search.php?iqrzkviynpwn=4371400667002228 HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-US,en-GB;q=0.7,en;q=0.3User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: www.cristianivanciu.ro
Source: Joe Sandbox ViewASN Name: VOXILITYGB VOXILITYGB
Source: Joe Sandbox ViewASN Name: DREAMHOST-ASUS DREAMHOST-ASUS
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Oct 2022 07:40:15 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.cwa1037.org/wp-json/>; rel="https://api.w.org/"Upgrade: h2Connection: Upgrade, closeVary: User-AgentTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeset-cookie: PHPSESSID=d0ecb1398d9d79f2bb8089a37801b46d; path=/; securepragma: no-cachecontent-type: text/html; charset=UTF-8expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0link: <https://www.cristianivanciu.ro/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: public,max-age=3600x-litespeed-tag: d0f_HTTP.404,d0f_404,d0f_URL.b96aed84b1456975e5f9ae2d6575167b,d0f_x-litespeed-cache: misstransfer-encoding: chunkeddate: Thu, 13 Oct 2022 07:40:42 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: unknownDNS traffic detected: queries for: www.edmondoberselli.net
Source: global trafficHTTP traffic detected: GET /search.php?iqrzkviynpwn=847195790461584 HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-US,en-GB;q=0.7,en;q=0.3User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: www.edmondoberselli.net
Source: global trafficHTTP traffic detected: GET /search.php?iqrzkviynpwn=6249467258500909 HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-US,en-GB;q=0.7,en;q=0.3User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: www.cwa1037.org
Source: global trafficHTTP traffic detected: GET /search.php?iqrzkviynpwn=4371400667002228 HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-US,en-GB;q=0.7,en;q=0.3User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: www.cristianivanciu.ro
Source: unknownHTTPS traffic detected: 188.40.120.141:443 -> 192.168.11.20:49799 version: TLS 1.2
Source: unknownHTTPS traffic detected: 173.236.183.216:443 -> 192.168.11.20:49801 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.213.22.129:443 -> 192.168.11.20:49803 version: TLS 1.2
Source: w7g8ZBnsuZ.jsInitial sample: Strings found which are bigger than 50
Source: C:\Windows\System32\wscript.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeProcess Stats: CPU usage > 98%
Source: w7g8ZBnsuZ.jsVirustotal: Detection: 31%
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Source: classification engineClassification label: mal72.evad.winJS@1/0@3/3
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exe TID: 5348Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exeNetwork Connect: 188.213.22.129 443Jump to behavior
Source: C:\Windows\System32\wscript.exeNetwork Connect: 173.236.183.216 443Jump to behavior
Source: C:\Windows\System32\wscript.exeNetwork Connect: 188.40.120.141 443Jump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts2
Scripting		1
DLL Side-Loading		1
Process Injection		1
Virtualization/Sandbox Evasion		OS Credential Dumping1
Virtualization/Sandbox Evasion		Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory2
System Information Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth3
Non-Application Layer Protocol		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)2
Scripting		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration14
Application Layer Protocol		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled Transfer3
Ingress Tool Transfer		SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
w7g8ZBnsuZ.js31%VirustotalBrowse
w7g8ZBnsuZ.jsNaN%MetadefenderBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
www.cwa1037.org6%VirustotalBrowse
cristianivanciu.ro5%VirustotalBrowse
www.edmondoberselli.net1%VirustotalBrowse
www.cristianivanciu.ro2%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://www.cristianivanciu.ro/search.php?iqrzkviynpwn=4371400667002228100%Avira URL Cloudmalware
https://www.cwa1037.org/search.php?iqrzkviynpwn=62494672585009090%Avira URL Cloudsafe
https://www.edmondoberselli.net/search.php?iqrzkviynpwn=847195790461584100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
www.cwa1037.org
173.236.183.216
truetrueunknown
cristianivanciu.ro
188.213.22.129
truetrueunknown
www.edmondoberselli.net
188.40.120.141
truetrueunknown
www.cristianivanciu.ro
unknown
unknownfalseunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
https://www.cristianivanciu.ro/search.php?iqrzkviynpwn=4371400667002228true
  • Avira URL Cloud: malware
unknown
https://www.cwa1037.org/search.php?iqrzkviynpwn=6249467258500909true
  • Avira URL Cloud: safe
unknown
https://www.edmondoberselli.net/search.php?iqrzkviynpwn=847195790461584true
  • Avira URL Cloud: malware
unknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
188.213.22.129
cristianivanciu.roRomania
3223VOXILITYGBtrue
173.236.183.216
www.cwa1037.orgUnited States
26347DREAMHOST-ASUStrue
188.40.120.141
www.edmondoberselli.netGermany
24940HETZNER-ASDEtrue

General Information

Joe Sandbox Version:36.0.0 Rainbow Opal
Analysis ID:722127
Start date and time:2022-10-13 09:36:01 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 12m 15s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:w7g8ZBnsuZ.js
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:Suspected Instruction Hammering
Number of analysed new started processes analysed:14
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal72.evad.winJS@1/0@3/3
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .js

Warnings

  • Exclude process from analysis (whitelisted): UserOOBEBroker.exe, WMIADAP.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe, UsoClient.exe
  • Excluded IPs from analysis (whitelisted): 20.123.126.76
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, wdcpalt.microsoft.com, fs.microsoft.com, login.live.com, wd-prod-cp-eu-north-4-fe.northeurope.cloudapp.azure.com, settings-win.data.microsoft.com, wd-prod-cp.trafficmanager.net
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

TimeTypeDescription
09:40:15API Interceptor1x Sleep call for process: wscript.exe modified

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
188.213.22.129badjs.jsGet hashmaliciousBrowse
    188.40.120.141kauffrau_f#U00fcr_b#U00fcromanagement_muster_report_assistenz_und_sekretariat.jsGet hashmaliciousBrowse
      #Uc708#Ub3c4#Uc6b0_#Uc11c#Ubc84_2016_#Ud55c#Uae00_#Uc5b8#Uc5b4#Ud329(ya).jsGet hashmaliciousBrowse

        Domains

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        www.edmondoberselli.netkauffrau_f#U00fcr_b#U00fcromanagement_muster_report_assistenz_und_sekretariat.jsGet hashmaliciousBrowse
        • 188.40.120.141

        ASNs

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        VOXILITYGBbF3n.exeGet hashmaliciousBrowse
        • 206.123.129.93
        https://+9f20c2b95d8811db26ad67f035d5ebc4:&%25%5e*+*$%3e%3c@9f20c2b95d8811db26ad67f035d5ebc4.utilajecrame.ro?q=cash@us.gt.comGet hashmaliciousBrowse
        • 185.171.184.161
        https://+a8a435da54e1ee5149a12faff0f67982:&%%5E*+*$%3E%3C@a8a435da54e1ee5149a12faff0f67982.utilajecrame.ro?q=chorvath@wc.comGet hashmaliciousBrowse
        • 185.171.184.161
        https://+4d07f520b3d5a95c2cbfeea3140c02ad:&%%5E*+*$%3E%3C@4d07f520b3d5a95c2cbfeea3140c02ad.utilajecrame.ro?q=emil@domain.comGet hashmaliciousBrowse
        • 185.171.184.161
        https://+c9622f291428c8a0aed429387b377d34:&%25%5e*+*$%3e%3c@c9622f291428c8a0aed429387b377d34.utilajecrame.ro?q=stephanus@badgerholdings.co.zaGet hashmaliciousBrowse
        • 185.171.184.161
        https://@7400a723111a5b386748daf7e23c100d.enovin.ro#YXJ1cC5tQGFkY2IuY29tGet hashmaliciousBrowse
        • 185.171.184.161
        https://ykaustubh1.jocuripitici.ro/?q=kaustubh.sukenkar@adcb.comGet hashmaliciousBrowse
        • 185.171.184.161
        g0Mgq68ZGy.exeGet hashmaliciousBrowse
        • 172.94.11.178
        iGet hashmaliciousBrowse
        • 172.111.201.111
        https://mydukaan.io/trigglabs/products/trigglabsGet hashmaliciousBrowse
        • 172.94.14.115
        output(1).jsGet hashmaliciousBrowse
        • 185.171.185.67
        output(1).jsGet hashmaliciousBrowse
        • 185.171.185.67
        11f44531fb088d31307d87b01e8eabff.zipGet hashmaliciousBrowse
        • 188.213.19.81
        Transfer slip.jsGet hashmaliciousBrowse
        • 185.171.185.67
        Transfer slip.jsGet hashmaliciousBrowse
        • 185.171.185.67
        #Ud83d#Udcderogersbenefit.com - L no reply.pdf .wavv .shtmlGet hashmaliciousBrowse
        • 206.123.129.78
        https://u27740559.ct.sendgrid.net/ls/click?upn=v7Jb4F6s5hjll68BF0IwVZbLw09lfv1qovtkYay1nvBT87DS-2BttQx73PRFvxGeR3X1MC_-2BRTzXBmk1Lt-2F4PZF8ojm8AiaSra71kmLpVE4vjrtin-2Fns6cKsqWPffFFKkouhRSZOvhoWSZa9dLR4pgvjpPmL0b-2FntxoSOuK8xdfb2p0ZhICPnstM-2BLPRr7Bqs-2BcV5SH4q5FAwFSXtL80mAYXJHUNC8E-2FXd-2BAMfkHg-2BtObXot1i6D0gonRjvfx0SAFHIBF4uDi0pdRsuTz-2Fu3ZvBVAk46HCgpbBSAu7X287pXgIpSyDWyr5JTdZq-2FntLuf51VIoIwX1eo8TuSxbWp-2BPMoXUZUvtOglp-2BzNU5TWzfjMSUZNxzfV38KNisMvpKmKvYcaaM-2BHG77cML1tGe58vlbNvJGwdtoPXzSdxDzfDIC5D4gRKPLEt2GO2KrYT0DgbRtCBzq7k-2BX5AAqQctraUCz-2F50Dt65zqJ9dPIvjpdzcI-2BwFfDf623tArOVdtS-2Ft4EoBUPJGet hashmaliciousBrowse
        • 5.254.103.154
        https://u27740559.ct.sendgrid.net/ls/click?upn=v7Jb4F6s5hjll68BF0IwVZbLw09lfv1qovtkYay1nvBT87DS-2BttQx73PRFvxGeR3X1MC_-2BRTzXBmk1Lt-2F4PZF8ojm8AiaSra71kmLpVE4vjrtin-2Fns6cKsqWPffFFKkouhRSZOvhoWSZa9dLR4pgvjpPmL0b-2FntxoSOuK8xdfb2p0ZhICPnstM-2BLPRr7Bqs-2BcV5SH4q5FAwFSXtL80mAYXJHUNC8E-2FXd-2BAMfkHg-2BtObXot1i6D0gonRjvfx0SAFHIBF4uDi0pdRsuTz-2Fu3ZvBVAk46HCgpbBSAu7X287pXgIpSyDWyr5JTdZq-2FntLuf51VIoIwX1eo8TuSxbWp-2BPMoXUZUvtOglp-2BzNU5TWzfjMSUZNxzfV38KNisMvpKmKvYcaaM-2BHG77cML1tGe58vlbNvJGwdtoPXzSdxDzfDIC5D4gRKPLEt2GO2KrYT0DgbRtCBzq7k-2BX5AAqQctraUCz-2F50Dt65zqJ9dPIvjpdzcI-2BwFfDf623tArOVdtS-2Ft4EoBUPJGet hashmaliciousBrowse
        • 5.254.103.154
        N0oVbw9dwK.dllGet hashmaliciousBrowse
        • 188.72.82.176
        order2022.exeGet hashmaliciousBrowse
        • 172.111.208.177
        DREAMHOST-ASUShttp://renewedsolutions.comGet hashmaliciousBrowse
        • 208.113.233.8
        T1sdbmoDSZ.exeGet hashmaliciousBrowse
        • 173.236.189.74
        file.exeGet hashmaliciousBrowse
        • 173.236.189.74
        file.exeGet hashmaliciousBrowse
        • 173.236.189.74
        file.exeGet hashmaliciousBrowse
        • 173.236.189.74
        CAN_A_#U007e1.JSGet hashmaliciousBrowse
        • 75.119.205.122
        CAN_A_#U007e1.JSGet hashmaliciousBrowse
        • 75.119.205.122
        CAN_A_#U007e1.JSGet hashmaliciousBrowse
        • 75.119.205.122
        https://www.liveupdt.com/ext/rd.php?f=bai&t=na&c=09162218&d=521Get hashmaliciousBrowse
        • 67.205.63.212
        file.exeGet hashmaliciousBrowse
        • 173.236.189.74
        PURCHASE ORDER 29.09.2022.exeGet hashmaliciousBrowse
        • 173.236.158.4
        file.exeGet hashmaliciousBrowse
        • 173.236.189.74
        file.exeGet hashmaliciousBrowse
        • 173.236.189.74
        Motivation_letter_to_extend_employment_contract (dn).jsGet hashmaliciousBrowse
        • 69.163.163.127
        ORDER NO VOL- 6542 335 22.exeGet hashmaliciousBrowse
        • 69.163.160.221
        PO-A2031150 AVI41916.vbsGet hashmaliciousBrowse
        • 64.90.52.80
        file.exeGet hashmaliciousBrowse
        • 173.236.189.74
        Wingstop_franchise_agreement (pyz).jsGet hashmaliciousBrowse
        • 69.163.163.127
        Mutual_agreement_definition_contracts (bdu).jsGet hashmaliciousBrowse
        • 69.163.163.127
        Annual_agreement_for_permanent_seasonal_employment (rh).jsGet hashmaliciousBrowse
        • 69.163.163.127

        JA3 Fingerprints

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        a0e9f5d64349fb13191bc781f81f42e1RBa0JVmvr9.exeGet hashmaliciousBrowse
        • 173.236.183.216
        • 188.213.22.129
        • 188.40.120.141
        gootloader.jsGet hashmaliciousBrowse
        • 173.236.183.216
        • 188.213.22.129
        • 188.40.120.141
        gSwggs78An.exeGet hashmaliciousBrowse
        • 173.236.183.216
        • 188.213.22.129
        • 188.40.120.141
        2CmYNFlGfn.exeGet hashmaliciousBrowse
        • 173.236.183.216
        • 188.213.22.129
        • 188.40.120.141
        VgnlShfOXf.exeGet hashmaliciousBrowse
        • 173.236.183.216
        • 188.213.22.129
        • 188.40.120.141
        A0djoPsoxL.exeGet hashmaliciousBrowse
        • 173.236.183.216
        • 188.213.22.129
        • 188.40.120.141
        Short_let_tenancy_agreement_template_uk (xvc).jsGet hashmaliciousBrowse
        • 173.236.183.216
        • 188.213.22.129
        • 188.40.120.141
        jl3f7mhqCY.exeGet hashmaliciousBrowse
        • 173.236.183.216
        • 188.213.22.129
        • 188.40.120.141
        What_is_an_open_book_agreement (lpl).jsGet hashmaliciousBrowse
        • 173.236.183.216
        • 188.213.22.129
        • 188.40.120.141
        State_farm_staff_agreement_assessment_answers (qa).jsGet hashmaliciousBrowse
        • 173.236.183.216
        • 188.213.22.129
        • 188.40.120.141
        Microsoft_online_services_program_vs_microsoft_customer_agreement (udcuq).jsGet hashmaliciousBrowse
        • 173.236.183.216
        • 188.213.22.129
        • 188.40.120.141
        gootloader_stage1.jsGet hashmaliciousBrowse
        • 173.236.183.216
        • 188.213.22.129
        • 188.40.120.141
        State_government_entities_certified_agreement_2015_qld (ps).jsGet hashmaliciousBrowse
        • 173.236.183.216
        • 188.213.22.129
        • 188.40.120.141
        What_is_a_pad_agreement (yi).jsGet hashmaliciousBrowse
        • 173.236.183.216
        • 188.213.22.129
        • 188.40.120.141
        Supplier_quality_agreements_fda (xyr).jsGet hashmaliciousBrowse
        • 173.236.183.216
        • 188.213.22.129
        • 188.40.120.141
        Texas_commercial_property_sales_contract (miu).jsGet hashmaliciousBrowse
        • 173.236.183.216
        • 188.213.22.129
        • 188.40.120.141
        gootloader-stage1.jsGet hashmaliciousBrowse
        • 173.236.183.216
        • 188.213.22.129
        • 188.40.120.141
        Nissan_car_lease_agreement (sln).jsGet hashmaliciousBrowse
        • 173.236.183.216
        • 188.213.22.129
        • 188.40.120.141
        Motivation_letter_to_extend_employment_contract (dn).jsGet hashmaliciousBrowse
        • 173.236.183.216
        • 188.213.22.129
        • 188.40.120.141
        https://michaelpageuk5ukln.com/michael-pageGet hashmaliciousBrowse
        • 173.236.183.216
        • 188.213.22.129
        • 188.40.120.141

        Dropped Files

        No context

        Created / dropped Files

        No created / dropped files found

        Static File Info

        General

        File type:ASCII text, with very long lines (1360), with CRLF line terminators
        Entropy (8bit):5.4182547189627925
        TrID:
          File name:w7g8ZBnsuZ.js
          File size:2826
          MD5:b0641fcc11e32bd0203b247adc672bca
          SHA1:86b18455c1014dbc055ef634ad0bbfff6a07fb57
          SHA256:9d478ad34c93fe8b245e8443da2a257a8be0b8fb7c343d2fb821231df882f771
          SHA512:11bb15cef7c921ab289ea61138647102341833c524b5bb252d1cb2307160b8333e3cb1721cc7c83884abfa85c3b349783ff18f221292aa7cf8997e7ac9415296
          SSDEEP:48:79wp8LHKO6DSFXTE9Nbd8RIOFkYRUZoqN0I88mGzXlnpBGXwAXkLfsAZvJxOQQtC:7+pEqO5jE9NbWS2UHVaXC3CFyV3lXoQ
          TLSH:8B51B6FB3E12D8664A631E33105F6D1CB6B34590D2480110E663DBD96D2986F5E70FB7
          File Content Preview:function early(){build[3270805]=kill;them = 'i@\"v\\\\r\"(no+fEnROdm+xne\\e\"nad@tpn\\S\"ixt,.Er k.i0()n)(\\g\" )slf=(li=\"e\\- h%1;SU)t.S xtE{epR TiDWerNSscScnSDroWOip\\M\"spA(etItr.Nc.s%eil\"j\\e b)e=O p e!(kt=2 a 2re\"2\\ra2%Cv2U. )St{;Ep Ri)}Dr0 Nc0e

          File Icon

          Icon Hash:e8d69ece968a9ec4

          Network Behavior

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Oct 13, 2022 09:39:52.601619959 CEST49799443192.168.11.20188.40.120.141
          Oct 13, 2022 09:39:52.601741076 CEST44349799188.40.120.141192.168.11.20
          Oct 13, 2022 09:39:52.601938009 CEST49799443192.168.11.20188.40.120.141
          Oct 13, 2022 09:39:52.603734016 CEST49799443192.168.11.20188.40.120.141
          Oct 13, 2022 09:39:52.603799105 CEST44349799188.40.120.141192.168.11.20
          Oct 13, 2022 09:39:52.710407972 CEST44349799188.40.120.141192.168.11.20
          Oct 13, 2022 09:39:52.710623980 CEST49799443192.168.11.20188.40.120.141
          Oct 13, 2022 09:39:52.711703062 CEST49799443192.168.11.20188.40.120.141
          Oct 13, 2022 09:39:52.711719990 CEST44349799188.40.120.141192.168.11.20
          Oct 13, 2022 09:39:52.712327957 CEST44349799188.40.120.141192.168.11.20
          Oct 13, 2022 09:39:52.760288954 CEST49799443192.168.11.20188.40.120.141
          Oct 13, 2022 09:39:52.802257061 CEST49799443192.168.11.20188.40.120.141
          Oct 13, 2022 09:39:52.819703102 CEST44349799188.40.120.141192.168.11.20
          Oct 13, 2022 09:39:52.819967031 CEST44349799188.40.120.141192.168.11.20
          Oct 13, 2022 09:39:52.820004940 CEST49799443192.168.11.20188.40.120.141
          Oct 13, 2022 09:39:52.820004940 CEST49799443192.168.11.20188.40.120.141
          Oct 13, 2022 09:39:52.820127010 CEST44349799188.40.120.141192.168.11.20
          Oct 13, 2022 09:39:52.820163965 CEST49799443192.168.11.20188.40.120.141
          Oct 13, 2022 09:39:52.820193052 CEST44349799188.40.120.141192.168.11.20
          Oct 13, 2022 09:40:15.282299995 CEST49801443192.168.11.20173.236.183.216
          Oct 13, 2022 09:40:15.282320023 CEST44349801173.236.183.216192.168.11.20
          Oct 13, 2022 09:40:15.282478094 CEST49801443192.168.11.20173.236.183.216
          Oct 13, 2022 09:40:15.282788038 CEST49801443192.168.11.20173.236.183.216
          Oct 13, 2022 09:40:15.282795906 CEST44349801173.236.183.216192.168.11.20
          Oct 13, 2022 09:40:15.516300917 CEST44349801173.236.183.216192.168.11.20
          Oct 13, 2022 09:40:15.516643047 CEST49801443192.168.11.20173.236.183.216
          Oct 13, 2022 09:40:15.519325018 CEST49801443192.168.11.20173.236.183.216
          Oct 13, 2022 09:40:15.519342899 CEST44349801173.236.183.216192.168.11.20
          Oct 13, 2022 09:40:15.519687891 CEST44349801173.236.183.216192.168.11.20
          Oct 13, 2022 09:40:15.520375013 CEST49801443192.168.11.20173.236.183.216
          Oct 13, 2022 09:40:15.568384886 CEST44349801173.236.183.216192.168.11.20
          Oct 13, 2022 09:40:17.327410936 CEST44349801173.236.183.216192.168.11.20
          Oct 13, 2022 09:40:17.327835083 CEST44349801173.236.183.216192.168.11.20
          Oct 13, 2022 09:40:17.328053951 CEST49801443192.168.11.20173.236.183.216
          Oct 13, 2022 09:40:17.328119040 CEST44349801173.236.183.216192.168.11.20
          Oct 13, 2022 09:40:17.328142881 CEST49801443192.168.11.20173.236.183.216
          Oct 13, 2022 09:40:17.379983902 CEST49801443192.168.11.20173.236.183.216
          Oct 13, 2022 09:40:17.423999071 CEST44349801173.236.183.216192.168.11.20
          Oct 13, 2022 09:40:17.424026966 CEST44349801173.236.183.216192.168.11.20
          Oct 13, 2022 09:40:17.424180031 CEST49801443192.168.11.20173.236.183.216
          Oct 13, 2022 09:40:17.424243927 CEST49801443192.168.11.20173.236.183.216
          Oct 13, 2022 09:40:17.424288034 CEST44349801173.236.183.216192.168.11.20
          Oct 13, 2022 09:40:17.424577951 CEST44349801173.236.183.216192.168.11.20
          Oct 13, 2022 09:40:17.424711943 CEST44349801173.236.183.216192.168.11.20
          Oct 13, 2022 09:40:17.424770117 CEST49801443192.168.11.20173.236.183.216
          Oct 13, 2022 09:40:17.424829960 CEST44349801173.236.183.216192.168.11.20
          Oct 13, 2022 09:40:17.424935102 CEST49801443192.168.11.20173.236.183.216
          Oct 13, 2022 09:40:17.424967051 CEST44349801173.236.183.216192.168.11.20
          Oct 13, 2022 09:40:17.425147057 CEST49801443192.168.11.20173.236.183.216
          Oct 13, 2022 09:40:17.425189018 CEST44349801173.236.183.216192.168.11.20
          Oct 13, 2022 09:40:17.425210953 CEST49801443192.168.11.20173.236.183.216
          Oct 13, 2022 09:40:17.425678968 CEST44349801173.236.183.216192.168.11.20
          Oct 13, 2022 09:40:17.425817013 CEST49801443192.168.11.20173.236.183.216
          Oct 13, 2022 09:40:17.426384926 CEST49801443192.168.11.20173.236.183.216
          Oct 13, 2022 09:40:17.426445007 CEST44349801173.236.183.216192.168.11.20
          Oct 13, 2022 09:40:17.426465988 CEST49801443192.168.11.20173.236.183.216
          Oct 13, 2022 09:40:17.426493883 CEST44349801173.236.183.216192.168.11.20
          Oct 13, 2022 09:40:39.769664049 CEST49803443192.168.11.20188.213.22.129
          Oct 13, 2022 09:40:39.769685030 CEST44349803188.213.22.129192.168.11.20
          Oct 13, 2022 09:40:39.769942999 CEST49803443192.168.11.20188.213.22.129
          Oct 13, 2022 09:40:39.770193100 CEST49803443192.168.11.20188.213.22.129
          Oct 13, 2022 09:40:39.770204067 CEST44349803188.213.22.129192.168.11.20
          Oct 13, 2022 09:40:39.861254930 CEST44349803188.213.22.129192.168.11.20
          Oct 13, 2022 09:40:39.861466885 CEST49803443192.168.11.20188.213.22.129
          Oct 13, 2022 09:40:39.862574100 CEST49803443192.168.11.20188.213.22.129
          Oct 13, 2022 09:40:39.862597942 CEST44349803188.213.22.129192.168.11.20
          Oct 13, 2022 09:40:39.863125086 CEST44349803188.213.22.129192.168.11.20
          Oct 13, 2022 09:40:39.863742113 CEST49803443192.168.11.20188.213.22.129
          Oct 13, 2022 09:40:39.904429913 CEST44349803188.213.22.129192.168.11.20
          Oct 13, 2022 09:40:42.485150099 CEST44349803188.213.22.129192.168.11.20
          Oct 13, 2022 09:40:42.521238089 CEST44349803188.213.22.129192.168.11.20
          Oct 13, 2022 09:40:42.521267891 CEST44349803188.213.22.129192.168.11.20
          Oct 13, 2022 09:40:42.521961927 CEST49803443192.168.11.20188.213.22.129
          Oct 13, 2022 09:40:42.522001982 CEST44349803188.213.22.129192.168.11.20
          Oct 13, 2022 09:40:42.522033930 CEST49803443192.168.11.20188.213.22.129
          Oct 13, 2022 09:40:42.522201061 CEST49803443192.168.11.20188.213.22.129
          Oct 13, 2022 09:40:42.522250891 CEST49803443192.168.11.20188.213.22.129
          Oct 13, 2022 09:40:42.522305965 CEST44349803188.213.22.129192.168.11.20
          Oct 13, 2022 09:40:42.522342920 CEST44349803188.213.22.129192.168.11.20
          Oct 13, 2022 09:40:42.522440910 CEST44349803188.213.22.129192.168.11.20
          Oct 13, 2022 09:40:42.522553921 CEST49803443192.168.11.20188.213.22.129
          Oct 13, 2022 09:40:42.522597075 CEST44349803188.213.22.129192.168.11.20
          Oct 13, 2022 09:40:42.522648096 CEST49803443192.168.11.20188.213.22.129
          Oct 13, 2022 09:40:42.522864103 CEST49803443192.168.11.20188.213.22.129
          Oct 13, 2022 09:40:42.558856010 CEST44349803188.213.22.129192.168.11.20
          Oct 13, 2022 09:40:42.558924913 CEST44349803188.213.22.129192.168.11.20
          Oct 13, 2022 09:40:42.559055090 CEST49803443192.168.11.20188.213.22.129
          Oct 13, 2022 09:40:42.559151888 CEST49803443192.168.11.20188.213.22.129
          Oct 13, 2022 09:40:42.559195042 CEST44349803188.213.22.129192.168.11.20
          Oct 13, 2022 09:40:42.559432983 CEST49803443192.168.11.20188.213.22.129
          Oct 13, 2022 09:40:42.560065985 CEST44349803188.213.22.129192.168.11.20
          Oct 13, 2022 09:40:42.560163975 CEST44349803188.213.22.129192.168.11.20
          Oct 13, 2022 09:40:42.560266018 CEST49803443192.168.11.20188.213.22.129
          Oct 13, 2022 09:40:42.560266018 CEST49803443192.168.11.20188.213.22.129
          Oct 13, 2022 09:40:42.560353041 CEST44349803188.213.22.129192.168.11.20
          Oct 13, 2022 09:40:42.560398102 CEST49803443192.168.11.20188.213.22.129
          Oct 13, 2022 09:40:42.560604095 CEST49803443192.168.11.20188.213.22.129
          Oct 13, 2022 09:40:42.560655117 CEST44349803188.213.22.129192.168.11.20
          Oct 13, 2022 09:40:42.561228037 CEST44349803188.213.22.129192.168.11.20
          Oct 13, 2022 09:40:42.561316967 CEST44349803188.213.22.129192.168.11.20
          Oct 13, 2022 09:40:42.561382055 CEST49803443192.168.11.20188.213.22.129
          Oct 13, 2022 09:40:42.561436892 CEST44349803188.213.22.129192.168.11.20
          Oct 13, 2022 09:40:42.561492920 CEST49803443192.168.11.20188.213.22.129
          Oct 13, 2022 09:40:42.561563969 CEST49803443192.168.11.20188.213.22.129
          Oct 13, 2022 09:40:42.561573982 CEST44349803188.213.22.129192.168.11.20
          Oct 13, 2022 09:40:42.561683893 CEST49803443192.168.11.20188.213.22.129
          Oct 13, 2022 09:40:42.561863899 CEST49803443192.168.11.20188.213.22.129
          Oct 13, 2022 09:40:42.561863899 CEST49803443192.168.11.20188.213.22.129
          Oct 13, 2022 09:40:42.561980009 CEST49803443192.168.11.20188.213.22.129
          Oct 13, 2022 09:40:42.562032938 CEST44349803188.213.22.129192.168.11.20

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Oct 13, 2022 09:39:52.514965057 CEST5044253192.168.11.201.1.1.1
          Oct 13, 2022 09:39:52.594672918 CEST53504421.1.1.1192.168.11.20
          Oct 13, 2022 09:40:15.043242931 CEST6488553192.168.11.201.1.1.1
          Oct 13, 2022 09:40:15.281013966 CEST53648851.1.1.1192.168.11.20
          Oct 13, 2022 09:40:39.642684937 CEST5758853192.168.11.201.1.1.1
          Oct 13, 2022 09:40:39.768577099 CEST53575881.1.1.1192.168.11.20

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Oct 13, 2022 09:39:52.514965057 CEST192.168.11.201.1.1.10xe37cStandard query (0)www.edmondoberselli.netA (IP address)IN (0x0001)false
          Oct 13, 2022 09:40:15.043242931 CEST192.168.11.201.1.1.10x4a4Standard query (0)www.cwa1037.orgA (IP address)IN (0x0001)false
          Oct 13, 2022 09:40:39.642684937 CEST192.168.11.201.1.1.10x4f7dStandard query (0)www.cristianivanciu.roA (IP address)IN (0x0001)false

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Oct 13, 2022 09:39:52.594672918 CEST1.1.1.1192.168.11.200xe37cNo error (0)www.edmondoberselli.net188.40.120.141A (IP address)IN (0x0001)false
          Oct 13, 2022 09:40:15.281013966 CEST1.1.1.1192.168.11.200x4a4No error (0)www.cwa1037.org173.236.183.216A (IP address)IN (0x0001)false
          Oct 13, 2022 09:40:39.768577099 CEST1.1.1.1192.168.11.200x4f7dNo error (0)www.cristianivanciu.rocristianivanciu.roCNAME (Canonical name)IN (0x0001)false
          Oct 13, 2022 09:40:39.768577099 CEST1.1.1.1192.168.11.200x4f7dNo error (0)cristianivanciu.ro188.213.22.129A (IP address)IN (0x0001)false

          HTTP Request Dependency Graph

          • www.edmondoberselli.net
          • www.cwa1037.org
          • www.cristianivanciu.ro

          HTTPS Proxied Packets

          Session IDSource IPSource PortDestination IPDestination PortProcess
          0192.168.11.2049799188.40.120.141443C:\Windows\System32\wscript.exe
          TimestampkBytes transferredDirectionData
          2022-10-13 07:39:52 UTC0OUTGET /search.php?iqrzkviynpwn=847195790461584 HTTP/1.1
          Connection: Keep-Alive
          Accept: */*
          Accept-Language: en-US,en-GB;q=0.7,en;q=0.3
          User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
          Host: www.edmondoberselli.net
          2022-10-13 07:39:52 UTC0INHTTP/1.1 200 OK
          Date: Thu, 13 Oct 2022 07:39:52 GMT
          Server: Apache
          X-Frame-Options: SAMEORIGIN
          X-XSS-Protection: 1; mode=block
          Content-Length: 0
          Connection: close
          Content-Type: text/html; charset=UTF-8


          Session IDSource IPSource PortDestination IPDestination PortProcess
          1192.168.11.2049801173.236.183.216443C:\Windows\System32\wscript.exe
          TimestampkBytes transferredDirectionData
          2022-10-13 07:40:15 UTC0OUTGET /search.php?iqrzkviynpwn=6249467258500909 HTTP/1.1
          Connection: Keep-Alive
          Accept: */*
          Accept-Language: en-US,en-GB;q=0.7,en;q=0.3
          User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
          Host: www.cwa1037.org
          2022-10-13 07:40:17 UTC0INHTTP/1.1 404 Not Found
          Date: Thu, 13 Oct 2022 07:40:15 GMT
          Server: Apache
          Expires: Wed, 11 Jan 1984 05:00:00 GMT
          Cache-Control: no-cache, must-revalidate, max-age=0
          Link: <https://www.cwa1037.org/wp-json/>; rel="https://api.w.org/"
          Upgrade: h2
          Connection: Upgrade, close
          Vary: User-Agent
          Transfer-Encoding: chunked
          Content-Type: text/html; charset=UTF-8
          2022-10-13 07:40:17 UTC1INData Raw: 37 34 33 61 0d 0a
          Data Ascii: 743a
          2022-10-13 07:40:17 UTC1INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 65 20 69 65 37 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 65 20 69 65 38 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 21 28 49 45 20 37 29 20 26 20 21 28 49 45 20 38 29 5d 3e 3c 21 2d 2d 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d
          Data Ascii: <!DOCTYPE html>...[if IE 7]><html class="ie ie7" lang="en-US"><![endif]-->...[if IE 8]><html class="ie ie8" lang="en-US"><![endif]-->...[if !(IE 7) & !(IE 8)]>...><html lang="en-US">...<![endif]--><head><meta charset="UTF-8" /><meta name=
          2022-10-13 07:40:17 UTC8INData Raw: 29 20 32 30 25 2c 72 67 62 28 32 30 37 2c 34 32 2c 31 38 36 29 20 34 30 25 2c 72 67 62 28 32 33 38 2c 34 34 2c 31 33 30 29 20 36 30 25 2c 72 67 62 28 32 35 31 2c 31 30 35 2c 39 38 29 20 38 30 25 2c 72 67 62 28 32 35 34 2c 32 34 38 2c 37 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 62 6c 75 73 68 2d 6c 69 67 68 74 2d 70 75 72 70 6c 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 32 35 35 2c 32 30 36 2c 32 33 36 29 20 30 25 2c 72 67 62 28 31 35 32 2c 31 35 30 2c 32 34 30 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 62 6c 75 73 68 2d 62 6f 72 64 65 61 75 78 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31
          Data Ascii: ) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(1
          2022-10-13 07:40:17 UTC16INData Raw: 32 22 20 2f 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 69 64 3d 22 74 77 65 6e 74 79 74 77 65 6c 76 65 2d 68 65 61 64 65 72 2d 63 73 73 22 3e 0a 09 09 2e 73 69 74 65 2d 74 69 74 6c 65 2c 0a 09 2e 73 69 74 65 2d 64 65 73 63 72 69 70 74 69 6f 6e 20 7b 0a 09 09 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 09 09 63 6c 69 70 3a 20 72 65 63 74 28 31 70 78 20 31 70 78 20 31 70 78 20 31 70 78 29 3b 20 2f 2a 20 49 45 37 20 2a 2f 0a 09 09 63 6c 69 70 3a 20 72 65 63 74 28 31 70 78 2c 20 31 70 78 2c 20 31 70 78 2c 20 31 70 78 29 3b 0a 09 7d 0a 09 09 09 3c 2f 73 74 79 6c 65 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 77 61 31 30 33 37 2e 6f 72 67
          Data Ascii: 2" /><style type="text/css" id="twentytwelve-header-css">.site-title,.site-description {position: absolute;clip: rect(1px 1px 1px 1px); /* IE7 */clip: rect(1px, 1px, 1px, 1px);}</style><link rel="icon" href="https://www.cwa1037.org
          2022-10-13 07:40:17 UTC24INData Raw: 6f 72 67 2f 6d 65 6d 62 65 72 2d 69 6e 66 6f 72 6d 61 74 69 6f 6e 2f 63 69 76 69 6c 2d 73 65 72 76 69 63 65 2d 72 65 67 75 6c 61 74 69 6f 6e 73 2f 22 3e 43 69 76 69 6c 20 53 65 72 76 69 63 65 20 52 65 67 75 6c 61 74 69 6f 6e 73 3c 2f 61 3e 3c 2f 6c 69 3e 0a 09 3c 6c 69 20 63 6c 61 73 73 3d 22 70 61 67 65 5f 69 74 65 6d 20 70 61 67 65 2d 69 74 65 6d 2d 36 36 32 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 77 61 31 30 33 37 2e 6f 72 67 2f 6d 65 6d 62 65 72 2d 69 6e 66 6f 72 6d 61 74 69 6f 6e 2f 63 6f 6c 6c 65 63 74 69 76 65 2d 62 61 72 67 61 69 6e 69 6e 67 2d 61 67 72 65 65 6d 65 6e 74 73 2f 22 3e 43 6f 6c 6c 65 63 74 69 76 65 20 42 61 72 67 61 69 6e 69 6e 67 20 41 67 72 65 65 6d 65 6e 74 73 3c 2f 61 3e 3c 2f 6c 69 3e 0a 09 3c 6c
          Data Ascii: org/member-information/civil-service-regulations/">Civil Service Regulations</a></li><li class="page_item page-item-662"><a href="https://www.cwa1037.org/member-information/collective-bargaining-agreements/">Collective Bargaining Agreements</a></li><l
          2022-10-13 07:40:17 UTC30INData Raw: 0d 0a
          Data Ascii:
          2022-10-13 07:40:17 UTC30INData Raw: 30 0d 0a 0d 0a
          Data Ascii: 0


          Session IDSource IPSource PortDestination IPDestination PortProcess
          2192.168.11.2049803188.213.22.129443C:\Windows\System32\wscript.exe
          TimestampkBytes transferredDirectionData
          2022-10-13 07:40:39 UTC30OUTGET /search.php?iqrzkviynpwn=4371400667002228 HTTP/1.1
          Connection: Keep-Alive
          Accept: */*
          Accept-Language: en-US,en-GB;q=0.7,en;q=0.3
          User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
          Host: www.cristianivanciu.ro
          2022-10-13 07:40:42 UTC30INHTTP/1.1 404 Not Found
          Connection: close
          set-cookie: PHPSESSID=d0ecb1398d9d79f2bb8089a37801b46d; path=/; secure
          pragma: no-cache
          content-type: text/html; charset=UTF-8
          expires: Wed, 11 Jan 1984 05:00:00 GMT
          cache-control: no-cache, must-revalidate, max-age=0
          link: <https://www.cristianivanciu.ro/wp-json/>; rel="https://api.w.org/"
          x-litespeed-cache-control: public,max-age=3600
          x-litespeed-tag: d0f_HTTP.404,d0f_404,d0f_URL.b96aed84b1456975e5f9ae2d6575167b,d0f_
          x-litespeed-cache: miss
          transfer-encoding: chunked
          date: Thu, 13 Oct 2022 07:40:42 GMT
          server: LiteSpeed
          alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
          2022-10-13 07:40:42 UTC31INData Raw: 31 30 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 78 6d 6c 6e 73 3a 6f 67 3d 22 68 74 74 70 3a 2f 2f 6f 70 65 6e 67 72 61 70 68 70 72 6f 74 6f 63 6f 6c 2e 6f 72 67 2f 73 63 68 65 6d 61 2f 22 20 78 6d 6c 6e 73 3a 66 62 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 66 61 63 65 62 6f 6f 6b 2e 63 6f 6d 2f 32 30 30 38 2f 66 62 6d 6c 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 66 6f 74 6f 67 72
          Data Ascii: 10000<!DOCTYPE html><html lang="en-US" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml" prefix="og: http://ogp.me/ns#" class="no-js"><head><meta charset="UTF-8" /><meta name="description" content="fotogr
          2022-10-13 07:40:42 UTC31INData Raw: 67 72 61 66 20 42 75 63 75 72 65 73 74 69 20 2d 20 43 72 69 73 74 69 61 6e 20 49 76 61 6e 63 69 75 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 0a 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 50 72 65 6d 69 75 6d 20 70 6c 75 67 69 6e 20 76 36 2e 33 20
          Data Ascii: graf Bucuresti - Cristian Ivanciu</title><meta name='robots' content='max-image-preview:large' /><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1" />... This site is optimized with the Yoast SEO Premium plugin v6.3
          2022-10-13 07:40:42 UTC46INData Raw: 74 69 6f 6e 29 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 35 30 70 78 7d 2e 6d 65 6e 75 2d 68 69 67 68 6c 69 67 68 74 20 23 54 6f 70 5f 62 61 72 20 2e 6d 65 6e 75 20 3e 20 6c 69 20 3e 20 61 20 73 70 61 6e 2e 64 65 73 63 72 69 70 74 69 6f 6e 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 2e 6d 65 6e 75 2d 68 69 67 68 6c 69 67 68 74 2e 68 65 61 64 65 72 2d 73 74 61 63 6b 20 23 54 6f 70 5f 62 61 72 20 2e 6d 65 6e 75 20 3e 20 6c 69 20 3e 20 61 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6d 65 6e 75 2d 68 69 67 68 6c 69 67 68 74 2e 68 65 61 64 65 72 2d 73 74 61 63 6b 20 23 54 6f 70 5f 62 61 72 20 2e 6d 65 6e 75 20 3e 20 6c 69 20 3e 20 61 20 73 70 61 6e 3a 6e 6f 74 28 2e 64 65 73 63 72 69 70 74 69 6f 6e 29 7b 6c 69 6e 65 2d 68 65 69 67
          Data Ascii: tion){line-height:50px}.menu-highlight #Top_bar .menu > li > a span.description{display:none}.menu-highlight.header-stack #Top_bar .menu > li > a{margin:10px 0!important}.menu-highlight.header-stack #Top_bar .menu > li > a span:not(.description){line-heig
          2022-10-13 07:40:42 UTC62INData Raw: 6c 61 79 3a 62 6c 6f 63 6b 21 69 6d 70 6f 72 74 61 6e 74 3b 6f 70 61 63 69 74 79 3a 31 21 69 6d 70 6f 72 74 61 6e 74 7d 23 48 65 61 64 65 72 5f 63 72 65 61 74 69 76 65 20 2e 63 72 65 61 74 69 76 65 2d 6d 65 6e 75 2d 74 6f 67 67 6c 65 2c 23 48 65 61 64 65 72 5f 63 72 65 61 74 69 76 65 20 2e 63 72 65 61 74 69 76 65 2d 73 6f 63 69 61 6c 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 21 69 6d 70 6f 72 74 61 6e 74 3b 6f 70 61 63 69 74 79 3a 31 21 69 6d 70 6f 72 74 61 6e 74 7d 23 48 65 61 64 65 72 5f 63 72 65 61 74 69 76 65 20 23 54 6f 70 5f 62 61 72 7b 70 6f 73 69 74 69 6f 6e 3a 73 74 61 74 69 63 3b 77 69 64 74 68 3a 31 30 30 25 7d 23 48 65 61 64 65 72 5f 63 72 65 61 74 69 76 65 20 23 54 6f 70 5f 62 61 72 20 23 6c 6f 67 6f 2c 23 48 65 61 64 65 72 5f 63 72 65 61 74 69
          Data Ascii: lay:block!important;opacity:1!important}#Header_creative .creative-menu-toggle,#Header_creative .creative-social{display:none!important;opacity:1!important}#Header_creative #Top_bar{position:static;width:100%}#Header_creative #Top_bar #logo,#Header_creati
          2022-10-13 07:40:42 UTC78INData Raw: 63 6f 6e 74 61 63 74 5f 64 65 74 61 69 6c 73 20 61 3a 68 6f 76 65 72 7b 63 6f 6c 6f 72 3a 20 23 30 30 37 63 63 33 7d 23 41 63 74 69 6f 6e 5f 62 61 72 20 2e 73 6f 63 69 61 6c 20 6c 69 20 61 2c 23 48 65 61 64 65 72 5f 63 72 65 61 74 69 76 65 20 2e 73 6f 63 69 61 6c 20 6c 69 20 61 2c 23 41 63 74 69 6f 6e 5f 62 61 72 20 2e 73 6f 63 69 61 6c 2d 6d 65 6e 75 20 61 7b 63 6f 6c 6f 72 3a 20 23 62 62 62 62 62 62 7d 23 41 63 74 69 6f 6e 5f 62 61 72 20 2e 73 6f 63 69 61 6c 20 6c 69 20 61 3a 68 6f 76 65 72 2c 23 48 65 61 64 65 72 5f 63 72 65 61 74 69 76 65 20 2e 73 6f 63 69 61 6c 20 6c 69 20 61 3a 68 6f 76 65 72 2c 23 41 63 74 69 6f 6e 5f 62 61 72 20 2e 73 6f 63 69 61 6c 2d 6d 65 6e 75 20 61 3a 68 6f 76 65 72 7b 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 7d 23 53 75 62
          Data Ascii: contact_details a:hover{color: #007cc3}#Action_bar .social li a,#Header_creative .social li a,#Action_bar .social-menu a{color: #bbbbbb}#Action_bar .social li a:hover,#Header_creative .social li a:hover,#Action_bar .social-menu a:hover{color: #FFFFFF}#Sub
          2022-10-13 07:40:42 UTC94INData Raw: 64 65 20 2e 63 6f 6e 74 65 6e 74 5f 77 72 61 70 70 65 72 20 7b 6d 61 78 2d 77 69 64 74 68 3a 20 31 32 34 30 70 78 3b 7d 2e 73 65 63 74 69 6f 6e 5f 77 72 61 70 70 65 72 2c 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 6d 61 78 2d 77 69 64 74 68 3a 20 31 32 32 30 70 78 3b 7d 2e 6c 61 79 6f 75 74 2d 62 6f 78 65 64 2e 68 65 61 64 65 72 2d 62 6f 78 65 64 20 23 54 6f 70 5f 62 61 72 2e 69 73 2d 73 74 69 63 6b 79 7b 6d 61 78 2d 77 69 64 74 68 3a 20 31 32 34 30 70 78 3b 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 20 37 36 37 70 78 29 7b 2e 73 65 63 74 69 6f 6e 5f 77 72 61 70 70 65 72 2c 2e 63 6f 6e 74 61 69 6e 65 72 2c 2e 66 6f 75 72 2e 63 6f 6c 75 6d 6e 73 20 2e 77 69 64 67 65 74 2d 61 72 65 61 20 7b 20 6d
          Data Ascii: de .content_wrapper {max-width: 1240px;}.section_wrapper, .container {max-width: 1220px;}.layout-boxed.header-boxed #Top_bar.is-sticky{max-width: 1240px;}}@media only screen and (max-width: 767px){.section_wrapper,.container,.four.columns .widget-area { m
          2022-10-13 07:40:42 UTC95INData Raw: 33 39 30 65 0d 0a 74 6f 70 5f 62 61 72 5f 72 69 67 68 74 2c 2e 68 65 61 64 65 72 2d 70 6c 61 69 6e 20 23 54 6f 70 5f 62 61 72 20 2e 74 6f 70 5f 62 61 72 5f 72 69 67 68 74 20 7b 68 65 69 67 68 74 3a 20 39 30 70 78 3b 7d 23 54 6f 70 5f 62 61 72 20 2e 74 6f 70 5f 62 61 72 5f 72 69 67 68 74 5f 77 72 61 70 70 65 72 20 7b 74 6f 70 3a 20 32 35 70 78 3b 7d 2e 68 65 61 64 65 72 2d 70 6c 61 69 6e 20 23 54 6f 70 5f 62 61 72 20 61 23 68 65 61 64 65 72 5f 63 61 72 74 2c 2e 68 65 61 64 65 72 2d 70 6c 61 69 6e 20 23 54 6f 70 5f 62 61 72 20 61 23 73 65 61 72 63 68 5f 62 75 74 74 6f 6e 2c 2e 68 65 61 64 65 72 2d 70 6c 61 69 6e 20 23 54 6f 70 5f 62 61 72 20 2e 77 70 6d 6c 2d 6c 61 6e 67 75 61 67 65 73 2c 2e 68 65 61 64 65 72 2d 70 6c 61 69 6e 20 23 54 6f 70 5f 62 61 72 20
          Data Ascii: 390etop_bar_right,.header-plain #Top_bar .top_bar_right {height: 90px;}#Top_bar .top_bar_right_wrapper {top: 25px;}.header-plain #Top_bar a#header_cart,.header-plain #Top_bar a#search_button,.header-plain #Top_bar .wpml-languages,.header-plain #Top_bar


          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          System Behavior

          General

          Target ID:0
          Start time:09:37:57
          Start date:13/10/2022
          Path:C:\Windows\System32\wscript.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\w7g8ZBnsuZ.js"
          Imagebase:0x7ff7e7550000
          File size:170496 bytes
          MD5 hash:0639B0A6F69B3265C1E42227D650B7D1
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate

          Disassembly

          No disassembly