File name:

rPayment_Swifopy_MT103_Confirmation_doc.vbs

Full analysis: https://app.any.run/tasks/50418277-1021-4dbc-be94-b854155bdcbd
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 13:27:43
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
rat
remcos
stealer
susp-powershell
Indicators:
MIME: text/plain
File info: Unicode text, UTF-16, little-endian text, with CRLF line terminators
MD5:

86CD5B2E6CA43AA955BFFA201ACE6817

SHA1:

3A9B692E9EF00F996BAF1E55594D04A3DC880686

SHA256:

80DFFAEC07804006B35028B52ED382CEBCCCE2B3EAD906487DD4259F4A323669

SSDEEP:

24:FOIODa5XlsclUwb2uGYaRsGDyAWXNZDac3ZX2ZoTeB1qEAHlPQ:cIODKlnl/2xLDy/ZX2ZoTeiPQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7416)
      • powershell.exe (PID: 8040)
      • powershell.exe (PID: 8188)
      • powershell.exe (PID: 4620)
      • powershell.exe (PID: 7508)
      • powershell.exe (PID: 7880)
      • powershell.exe (PID: 7796)
      • powershell.exe (PID: 1512)
      • powershell.exe (PID: 7836)
      • powershell.exe (PID: 7532)
      • powershell.exe (PID: 7156)
      • powershell.exe (PID: 5588)
      • powershell.exe (PID: 7476)
      • powershell.exe (PID: 3240)
      • powershell.exe (PID: 7792)
      • powershell.exe (PID: 4268)
      • powershell.exe (PID: 6032)
      • powershell.exe (PID: 7760)
      • powershell.exe (PID: 6456)
      • powershell.exe (PID: 2960)
      • powershell.exe (PID: 7428)

    • Changes powershell execution policy (Bypass)

      • wscript.exe (PID: 7364)
      • powershell.exe (PID: 7416)
      • powershell.exe (PID: 8040)
      • cmd.exe (PID: 7172)
      • cmd.exe (PID: 728)
      • powershell.exe (PID: 8188)
      • powershell.exe (PID: 4620)
      • powershell.exe (PID: 7508)
      • powershell.exe (PID: 7880)
      • powershell.exe (PID: 1512)
      • cmd.exe (PID: 6436)
      • powershell.exe (PID: 5588)
      • powershell.exe (PID: 3240)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 7416)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 8040)

    • Starts CMD.EXE for self-deleting

      • powershell.exe (PID: 8188)

    • Changes Windows Defender settings

      • powershell.exe (PID: 8188)

    • Adds path to the Windows Defender exclusion list

      • powershell.exe (PID: 8188)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 4620)
      • powershell.exe (PID: 7508)
      • powershell.exe (PID: 7836)
      • powershell.exe (PID: 7796)
      • powershell.exe (PID: 5588)

    • REMCOS mutex has been found

      • AddInProcess32.exe (PID: 5936)
      • AddInProcess32.exe (PID: 2656)

    • Connects to the CnC server

      • AddInProcess32.exe (PID: 5936)

    • REMCOS has been detected (SURICATA)

      • AddInProcess32.exe (PID: 5936)

    • Actions looks like stealing of personal data

      • recover.exe (PID: 2040)
      • recover.exe (PID: 1568)

    • Steals credentials from Web Browsers

      • recover.exe (PID: 1568)

    • REMCOS has been detected

      • AddInProcess32.exe (PID: 5936)

  • SUSPICIOUS

    • Possibly malicious use of IEX has been detected

      • wscript.exe (PID: 7364)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 7364)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 7364)
      • powershell.exe (PID: 7416)
      • powershell.exe (PID: 8040)
      • powershell.exe (PID: 8188)
      • cmd.exe (PID: 7172)
      • powershell.exe (PID: 4620)
      • cmd.exe (PID: 728)
      • powershell.exe (PID: 7880)
      • powershell.exe (PID: 7508)
      • powershell.exe (PID: 1512)
      • cmd.exe (PID: 6436)
      • powershell.exe (PID: 5588)
      • powershell.exe (PID: 3240)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 7416)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 7416)
      • powershell.exe (PID: 8040)
      • powershell.exe (PID: 8188)
      • powershell.exe (PID: 7880)
      • powershell.exe (PID: 5588)

    • Gets content of a file (POWERSHELL)

      • powershell.exe (PID: 7416)

    • Hides errors and continues executing the command without stopping

      • powershell.exe (PID: 8040)

    • Manipulates environment variables

      • powershell.exe (PID: 8040)

    • Probably obfuscated PowerShell command line is found

      • powershell.exe (PID: 7416)

    • Probably download files using WebClient

      • powershell.exe (PID: 7416)

    • Get information on the list of running processes

      • powershell.exe (PID: 7416)

    • Application launched itself

      • powershell.exe (PID: 7416)
      • powershell.exe (PID: 8040)
      • powershell.exe (PID: 8188)
      • powershell.exe (PID: 4620)
      • powershell.exe (PID: 7880)
      • powershell.exe (PID: 7508)
      • powershell.exe (PID: 1512)
      • powershell.exe (PID: 3240)
      • powershell.exe (PID: 5588)

    • The process executes Powershell scripts

      • powershell.exe (PID: 7416)
      • powershell.exe (PID: 8040)
      • cmd.exe (PID: 7172)
      • cmd.exe (PID: 728)
      • powershell.exe (PID: 8188)
      • powershell.exe (PID: 4620)
      • powershell.exe (PID: 7508)
      • powershell.exe (PID: 7880)
      • powershell.exe (PID: 1512)
      • cmd.exe (PID: 6436)
      • powershell.exe (PID: 5588)
      • powershell.exe (PID: 3240)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 8040)

    • Checks processor architecture

      • powershell.exe (PID: 8040)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 7384)
      • cmd.exe (PID: 7404)
      • cmd.exe (PID: 7372)

    • Script adds exclusion path to Windows Defender

      • powershell.exe (PID: 8188)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 3304)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 8188)

    • PowerShell delay command usage (probably sleep evasion)

      • powershell.exe (PID: 4620)
      • powershell.exe (PID: 7508)

    • Contacting a server suspected of hosting an CnC

      • AddInProcess32.exe (PID: 5936)

    • Reads security settings of Internet Explorer

      • AddInProcess32.exe (PID: 5936)

    • Connects to unusual port

      • AddInProcess32.exe (PID: 5936)

  • INFO

    • Disables trace logs

      • powershell.exe (PID: 7416)
      • powershell.exe (PID: 8040)
      • powershell.exe (PID: 8188)

    • Checks proxy server information

      • powershell.exe (PID: 7416)
      • AddInProcess32.exe (PID: 5936)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 7416)

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 8040)

    • Reads the software policy settings

      • powershell.exe (PID: 8040)
      • slui.exe (PID: 7616)

    • Create files in a temporary directory

      • powershell.exe (PID: 8040)
      • recover.exe (PID: 2040)
      • recover.exe (PID: 1568)
      • recover.exe (PID: 856)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 8188)
      • powershell.exe (PID: 7880)
      • powershell.exe (PID: 5588)

    • Creates a new folder

      • cmd.exe (PID: 6800)

    • Found Base64 encoded network access via PowerShell (YARA)

      • powershell.exe (PID: 7416)

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • powershell.exe (PID: 7416)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 536)
      • powershell.exe (PID: 6988)

    • Found Base64 encoded file access via PowerShell (YARA)

      • powershell.exe (PID: 7416)

    • Found Base64 encoded access to environment variables via PowerShell (YARA)

      • powershell.exe (PID: 7416)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6988)
      • powershell.exe (PID: 536)

    • Checks supported languages

      • AddInProcess32.exe (PID: 5936)
      • AddInProcess32.exe (PID: 2656)

    • Reads the computer name

      • AddInProcess32.exe (PID: 5936)

    • Creates files or folders in the user directory

      • AddInProcess32.exe (PID: 5936)

    • Manual execution by a user

      • cmd.exe (PID: 6436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.txt | Text - UTF-16 (LE) encoded (66.6)
.mp3 | MP3 audio (33.3)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
183
Monitored processes
50
Malicious processes
14
Suspicious processes
3

Behavior graph

Click at the process to see the details
start wscript.exe no specs powershell.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe powershell.exe powershell.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs addinprocess32.exe no specs #REMCOS addinprocess32.exe svchost.exe recover.exe recover.exe recover.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs #REMCOS addinprocess32.exe no specs powershell.exe no specs slui.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
536powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\' ; Add-MpPreference -ExclusionPath $S -force ;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
728cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\wtsvm.ps1'"C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
856C:\Windows\SysWOW64\recover.exe /stext "C:\Users\admin\AppData\Local\Temp\kguunvplr"C:\Windows\SysWOW64\recover.exeAddInProcess32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Recover Files Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\recover.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\user32.dll
1512powershell.exe -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\cztlm.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1568C:\Windows\SysWOW64\recover.exe /stext "C:\Users\admin\AppData\Local\Temp\xkjilllqhomzmywcuddvtmqkwsrjvyqpx"C:\Windows\SysWOW64\recover.exe
AddInProcess32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Recover Files Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\recover.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\user32.dll
2040C:\Windows\SysWOW64\recover.exe /stext "C:\Users\admin\AppData\Local\Temp\ieobm"C:\Windows\SysWOW64\recover.exe
AddInProcess32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Recover Files Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\recover.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\rpcrt4.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2656#by-unknownC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AddInProcess.exe
Exit code:
2
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
2960"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\wtsvm.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
3240powershell.exe -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\abxio.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
102 425
Read events
102 408
Write events
17
Delete events
0

Modification events

(PID) Process:(5936) AddInProcess32.exeKey:HKEY_CURRENT_USER\SOFTWARE\wealthbankztricoder001922025-A0A0MJ
Operation:writeName:exepath
Value:
07A76337EA888D74B09E2649621DD9B7855B02BD006FBD973EA105DDCF721D3EFA904641F60A7180396C8EA0D5D22009124832488E84675E3386509082723A7BAE3C5BB6954AAF8629CA7080FCADA11106261426BE0C3C9D48C58A744AA072FCAEEFE9B0C1B9829B4F11F73AF83B30690C277AA0B9FAC7746C5FD1C92F903232F4F8
(PID) Process:(5936) AddInProcess32.exeKey:HKEY_CURRENT_USER\SOFTWARE\wealthbankztricoder001922025-A0A0MJ
Operation:writeName:licence
Value:
6214F355B8397CF792A477F14524C9DF
(PID) Process:(5936) AddInProcess32.exeKey:HKEY_CURRENT_USER\SOFTWARE\wealthbankztricoder001922025-A0A0MJ
Operation:writeName:time
Value:
(PID) Process:(5936) AddInProcess32.exeKey:HKEY_CURRENT_USER\SOFTWARE\wealthbankztricoder001922025-A0A0MJ
Operation:writeName:UID
Value:
(PID) Process:(5936) AddInProcess32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5936) AddInProcess32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5936) AddInProcess32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7796) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Update Drivers NVIDEO_pgv
Value:
cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\sghhk.ps1' ";exit
(PID) Process:(7836) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Update Drivers NVIDEO_iwb
Value:
cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\sghhk.ps1' ";exit
(PID) Process:(7532) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Update Drivers NVIDEO_iwb
Value:
cmd.exe /c start /min "" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\admin\AppData\LocalLow\Daft Sytem (x86)\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\sghhk.ps1' ";exit
Executable files
0
Suspicious files
9
Text files
55
Unknown types
0

Dropped files

PID
Process
Filename
Type
7416powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_h51hpiff.v2u.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8188powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ow5ifasm.hgs.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7416powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lr0chkju.dpo.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8188powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_k5r5vntx.z2q.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6988powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xasggzsy.kpv.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8040powershell.exeC:\Users\admin\AppData\Local\Temp\dll03.ps1text
MD5:AC619BCA472ADD45107FEB29BD8A1F36
SHA256:CE881C530CE2933EF7FDDEEE523CD81BAA7EFC8A7298D947D38D9376C79AEC79
536powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cqyy5ygf.inp.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8040powershell.exeC:\Users\admin\AppData\Local\Temp\dll02.txttext
MD5:977E7717B1DEBC07678AADFF20F082B1
SHA256:E1D6E508018624CDA11670BF5042A57F27F34AB626CB6A1CAF9261D117964D1E
6988powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xjrbo5pt.xg1.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8040powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_obqz4hxq.ltt.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
30
DNS requests
19
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.36:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7188
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5936
AddInProcess32.exe
GET
200
178.237.33.50:80
http://geoplugin.net/json.gp
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7188
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
23.216.77.36:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7416
powershell.exe
191.252.83.189:443
localbusineess.com.br
Locaweb Servicos de Internet SA
BR
unknown
6708
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
20.190.159.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.216.77.36
  • 23.216.77.42
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
localbusineess.com.br
  • 191.252.83.189
unknown
login.live.com
  • 20.190.159.131
  • 40.126.31.128
  • 40.126.31.73
  • 40.126.31.130
  • 20.190.159.129
  • 40.126.31.3
  • 40.126.31.131
  • 20.190.159.75
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
www.pastery.net
  • 104.21.96.1
  • 104.21.80.1
  • 104.21.112.1
  • 104.21.16.1
  • 104.21.64.1
  • 104.21.48.1
  • 104.21.32.1
unknown
wealthyblessedman.duckdns.org
  • 172.111.137.132
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
Malware Command and Control Activity Detected
ET MALWARE Remcos 3.x Unencrypted Server Response
Malware Command and Control Activity Detected
ET MALWARE Remcos 3.x Unencrypted Checkin
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
rPayment_Swifopy_MT103_Confirmation_doc.vbs