File name:

gatherNetworkInfo.vbs

Full analysis: https://app.any.run/tasks/0a472379-d59f-4b95-9b87-fe5192c29742
Verdict: Malicious activity
Analysis date: November 21, 2024, 18:07:52
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

2E6AF4D5BF6E31E728F409984C3045D4

SHA1:

757BF5310F40A69D883F11E75F220E02FBAA0127

SHA256:

D906D6126A1E9C9569EF81605D02F03EF94AA57B3AB9CBD56C996BAF22FA461B

SSDEEP:

1536:sImNGeeGUJIgZf/A+qfwkgKo9kNxyJ3OOjPl68fef0qIbIE5ToGdKTYL7TBHQ/8S:sImNGXGUJtx/A+qfol6yqZs8J

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 440)

    • Uses WEVTUTIL.EXE to export log

      • cmd.exe (PID: 3648)
      • cmd.exe (PID: 5764)
      • cmd.exe (PID: 3640)
      • cmd.exe (PID: 5540)
      • cmd.exe (PID: 2548)
      • cmd.exe (PID: 4036)
      • cmd.exe (PID: 3764)

    • Get information on the list of running processes

      • wscript.exe (PID: 440)

    • Uses WEVTUTIL.EXE to archive the exported log

      • cmd.exe (PID: 2260)
      • cmd.exe (PID: 3508)
      • cmd.exe (PID: 5656)
      • cmd.exe (PID: 5104)
      • cmd.exe (PID: 4444)
      • cmd.exe (PID: 3940)
      • cmd.exe (PID: 6072)

    • Uses powercfg.exe to modify the power settings

      • cmd.exe (PID: 4044)

    • Executes application which crashes

      • wscript.exe (PID: 440)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
288
Monitored processes
167
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powercfg.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs dxdiag.exe cmd.exe no specs conhost.exe no specs dispdiag.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
236\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
396\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
396wevtutil epl "Microsoft-Windows-Wcmsvc/Operational" config\WCMLog.evtxC:\Windows\System32\wevtutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Eventing Command Line Utility
Exit code:
3
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wevtutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\combase.dll
c:\windows\system32\sechost.dll
396"C:\Windows\System32\cmd.exe" /c netsh advfirewall monitor show currentprofile >> config\WindowsFirewallConfig.txtC:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
396\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
440"C:\WINDOWS\System32\WScript.exe" C:\WINDOWS\gatherNetworkInfo.vbsC:\Windows\System32\wscript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
3221225477
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
492\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
544"C:\Windows\System32\cmd.exe" /c reg export "HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications" Reg\Notif.reg.txt /yC:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
544\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
544\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
14 103
Read events
13 990
Write events
92
Delete events
21

Modification events

(PID) Process:(5676) dxdiag.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX Diagnostic Tool
Operation:writeName:DxDiag In SystemInfo
Value:
1
(PID) Process:(5676) dxdiag.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX Diagnostic Tool
Operation:delete valueName:DxDiag In SystemInfo
Value:

(PID) Process:(5676) dxdiag.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX Diagnostic Tool
Operation:writeName:DxDiag In DirectDraw
Value:
1
(PID) Process:(5676) dxdiag.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX Diagnostic Tool
Operation:delete valueName:DxDiag In DirectDraw
Value:

(PID) Process:(5676) dxdiag.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX Diagnostic Tool
Operation:writeName:DxDiag In DirectSound
Value:
1
(PID) Process:(5676) dxdiag.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX Diagnostic Tool
Operation:delete valueName:DxDiag In DirectSound
Value:

(PID) Process:(5676) dxdiag.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX Diagnostic Tool
Operation:writeName:DxDiag In VideoCapture
Value:
1
(PID) Process:(5676) dxdiag.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX Diagnostic Tool
Operation:delete valueName:DxDiag In VideoCapture
Value:

(PID) Process:(5676) dxdiag.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX Diagnostic Tool
Operation:writeName:DxDiag In Diagnostics
Value:
1
(PID) Process:(5676) dxdiag.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX Diagnostic Tool
Operation:delete valueName:DxDiag In Diagnostics
Value:

Executable files
0
Suspicious files
12
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
6744WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_WScript.exe_ade32fc73311ebbd7b022c76e9473a611bd78b6_debcac4a_bdf5298c-b6d4-4117-879d-4b488d90fcb8\Report.wer
MD5:
SHA256:
5676dxdiag.exeC:\Users\admin\AppData\Local\D3DSCache\b349d32bb264b90e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.valbinary
MD5:C0627BA18EF48A97CA50DB7FEC75E930
SHA256:6DFB63072ECE7388CC695EB12A981D71CEA1C06D9A919ABF57AB0F4BA90F759D
6744WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERD618.tmp.dmpbinary
MD5:E3DC0EB5B647DC36CEEB74DEACC0EDF7
SHA256:4CDBC0069927261F571AEB8E1B66745BA655C5DB26FFDC3C8E8B83D528EDD06C
6744WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERD752.tmp.WERInternalMetadata.xmlxml
MD5:A667F62179D103F91783D37F759BDC4D
SHA256:CA7046119787D9590520D53C5263EC957C21222347634B9F44FC3611F273FA0C
5676dxdiag.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\45AE547469FB7137480E06153457A2DDbinary
MD5:60D2111B1B98AC9C03897C7EEC2F566C
SHA256:F8877C6BF801B9AC6A63DE0FBFCBA6849B80B36142EE339AF5D1114D6C0DF64B
5676dxdiag.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\45AE547469FB7137480E06153457A2DDder
MD5:607E2F82F28C67AE4F1118F13163EAEE
SHA256:731296029DE520110728583B3B315C9B554E6DD41EC15C4953AA9A8A49F7B5F8
5676dxdiag.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A583E2A51BFBDC1E492A57B7C8325850der
MD5:BEA650E9D669CF1C6C2EA6DEF826B955
SHA256:E259199F60C1F26999723B5B2C2120DF8D35440B3F606DC0F8B79C896F54B49E
6744WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\21253908F3CB05D51B1C2DA8B681A785binary
MD5:489368486E5A61228C0B9E18145BB80E
SHA256:68F873AD7AE5DFBCA91E38F19E48F1B19A6348EDF5B9E03AD3DB2F38D7D1BBE6
6744WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERD772.tmp.xmlxml
MD5:523BBCD6B5926967C39171CA7840D987
SHA256:DF49D5B9F609A1BF465D758FC64D8A9052B629A343A83B64E960A22F8D8C2E1F
6744WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FEbinary
MD5:D39DF9FC1465E152B443421AA19E4921
SHA256:05A529F58EA32009530AB88DEDD6B81CE0D64D69BC5BCDE35B2FF92260B055FA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
38
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5676
dxdiag.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5676
dxdiag.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl%20
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6744
WerFault.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2.23.209.149:443
www.bing.com
Akamai International B.V.
GB
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
4932
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 23.37.237.227
whitelisted
google.com
  • 142.250.186.142
whitelisted
www.bing.com
  • 2.23.209.149
  • 2.23.209.182
  • 2.23.209.130
  • 2.23.209.179
  • 2.23.209.140
  • 2.23.209.133
  • 2.23.209.185
  • 2.23.209.189
  • 2.23.209.187
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.23
  • 40.126.31.69
  • 40.126.31.71
  • 20.190.159.68
  • 20.190.159.4
  • 20.190.159.71
  • 20.190.159.2
  • 20.190.159.75
whitelisted
go.microsoft.com
  • 2.19.230.153
whitelisted
watson.events.data.microsoft.com
  • 52.168.117.173
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
gatherNetworkInfo.vbs