File name:

Adjuntos-cfdi-kvtbj_9ldU_(811313).PDF.vbs

Full analysis: https://app.any.run/tasks/bf957d40-301b-4efc-8979-d7d00ca425ca
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 09, 2024, 09:22:17
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
autoit
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF, LF line terminators
MD5:

76347EDC3C3D03671A1C7DC86B959B8B

SHA1:

6CE77104B4F0095002A03CD1296F21238638B607

SHA256:

FF5278DFDCDA31F00EA75DB26D90F8F6E94A152895B5405D8301C40DBA0DE761

SSDEEP:

384:yt9EyR96hGHktXUKxuX93jWxr0RMHfyhVV+H93Q:Ty96hJkKxC93jWlGIyh7u3Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • wscript.exe (PID: 1260)
      • OfficeClickToRun.exe (PID: 3040)
      • _vrmfzw6_E.exe (PID: 4032)

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 1260)

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 1260)

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 1260)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 5460)

    • Create files in the Startup directory

      • powershell.exe (PID: 5460)

    • Changes powershell execution policy (Bypass)

      • wscript.exe (PID: 1260)

    • Creates a writable file in the system directory

      • OfficeClickToRun.exe (PID: 3040)
      • svchost.exe (PID: 3048)
      • sppsvc.exe (PID: 3640)
      • svchost.exe (PID: 1296)
      • svchost.exe (PID: 2576)

    • The DLL Hijacking

      • OfficeClickToRun.exe (PID: 3040)

    • Adds path to the Windows Defender exclusion list

      • _vrmfzw6_Ei7.exe (PID: 5392)

    • Actions looks like stealing of personal data

      • _vrmfzw6_E.exe (PID: 6124)

  • SUSPICIOUS

    • Found IP address in command line

      • powershell.exe (PID: 5460)

    • Adds, changes, or deletes HTTP request header (SCRIPT)

      • wscript.exe (PID: 1260)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 1260)
      • cmd.exe (PID: 5988)
      • _vrmfzw6_Ei7.exe (PID: 5392)
      • cmd.exe (PID: 6440)
      • cmd.exe (PID: 5984)
      • cmd.exe (PID: 3592)

    • Possibly malicious use of IEX has been detected

      • wscript.exe (PID: 1260)

    • Probably download files using WebClient

      • wscript.exe (PID: 1260)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 1260)

    • The system shut down or reboot

      • powershell.exe (PID: 5460)
      • cmd.exe (PID: 6724)

    • Detected use of alternative data streams (AltDS)

      • svchost.exe (PID: 2632)

    • Checks Windows Trust Settings

      • OfficeClickToRun.exe (PID: 3040)
      • _vrmfzw6_E.exe (PID: 4032)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 5988)
      • cmd.exe (PID: 6440)
      • _vrmfzw6_Ei7.exe (PID: 5392)
      • cmd.exe (PID: 5984)
      • cmd.exe (PID: 3592)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 5988)
      • cmd.exe (PID: 6440)
      • cmd.exe (PID: 5984)
      • cmd.exe (PID: 3592)

    • Reads the date of Windows installation

      • _vrmfzw6_Ei7.exe (PID: 4732)
      • _vrmfzw6_Ei7.exe (PID: 5392)
      • _vrmfzw6_E.exe (PID: 4032)
      • MicrosoftEdgeUpdate.exe (PID: 5748)

    • Searches for installed software

      • svchost.exe (PID: 5764)

    • Checks for Java to be installed

      • jusched.exe (PID: 6124)
      • jusched.exe (PID: 6116)

    • Script adds exclusion path to Windows Defender

      • _vrmfzw6_Ei7.exe (PID: 5392)

    • Executes application which crashes

      • _vrmfzw6_Ei7.exe (PID: 4732)

    • Reads the BIOS version

      • _vrmfzw6_E.exe (PID: 6124)
      • _vrmfzw6_E.exe (PID: 6396)
      • _vrmfzw6_E.exe (PID: 1056)
      • _vrmfzw6_E.exe (PID: 4032)

    • The process creates files with name similar to system file names

      • powershell.exe (PID: 4736)

    • Executing commands from a ".bat" file

      • _vrmfzw6_Ei7.exe (PID: 5392)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6724)
      • cmd.exe (PID: 6228)

    • Reads security settings of Internet Explorer

      • _vrmfzw6_E.exe (PID: 4032)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2076)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6068)
      • MicrosoftEdgeUpdate.exe (PID: 6012)

  • INFO

    • Checks proxy server information

      • wscript.exe (PID: 1260)
      • powershell.exe (PID: 5460)
      • svchost.exe (PID: 4044)
      • WerFault.exe (PID: 6112)
      • powershell.exe (PID: 6104)
      • powershell.exe (PID: 6516)
      • powershell.exe (PID: 6096)
      • powershell.exe (PID: 5144)
      • _vrmfzw6_E.exe (PID: 4032)
      • MicrosoftEdgeUpdate.exe (PID: 720)
      • MicrosoftEdgeUpdate.exe (PID: 6244)
      • wermgr.exe (PID: 4376)
      • MicrosoftEdgeUpdate.exe (PID: 1788)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 5460)
      • wbv.exe (PID: 552)
      • wbv.exe (PID: 1376)
      • MicrosoftEdgeUpdate.exe (PID: 5748)
      • MicrosoftEdgeWebview_X86_109.0.1518.69.exe (PID: 364)
      • setup.exe (PID: 6476)

    • Drops the executable file immediately after the start

      • powershell.exe (PID: 5460)
      • _vrmfzw6_E.exe (PID: 6124)
      • _vrmfzw6_E.exe (PID: 6396)
      • _vrmfzw6_E.exe (PID: 1056)
      • _vrmfzw6_E.exe (PID: 4032)
      • wbv.exe (PID: 1376)
      • wbv.exe (PID: 552)
      • MicrosoftEdgeUpdate.exe (PID: 5748)
      • MicrosoftEdgeWebview_X86_109.0.1518.69.exe (PID: 364)
      • setup.exe (PID: 6476)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 5460)
      • powershell.exe (PID: 6104)
      • powershell.exe (PID: 6516)
      • powershell.exe (PID: 6096)
      • powershell.exe (PID: 5144)

    • Unusual connection from system programs

      • powershell.exe (PID: 5460)
      • wscript.exe (PID: 1260)
      • powershell.exe (PID: 6104)
      • powershell.exe (PID: 6516)
      • powershell.exe (PID: 6096)
      • powershell.exe (PID: 5144)

    • Reads the software policy settings

      • slui.exe (PID: 6044)
      • OfficeClickToRun.exe (PID: 3040)
      • consent.exe (PID: 5620)
      • WerFault.exe (PID: 6112)
      • _vrmfzw6_E.exe (PID: 4032)
      • MicrosoftEdgeUpdate.exe (PID: 720)
      • MicrosoftEdgeUpdate.exe (PID: 6244)
      • wermgr.exe (PID: 4376)
      • MicrosoftEdgeUpdate.exe (PID: 1788)

    • Drops the AutoIt3 executable file

      • powershell.exe (PID: 5460)

    • Connects to the server without a host name

      • wscript.exe (PID: 1260)
      • _vrmfzw6_E.exe (PID: 4032)
      • _vrmfzw6_E.exe (PID: 6124)

    • Manual execution by a user

      • svchost.exe (PID: 1072)
      • svchost.exe (PID: 1288)
      • svchost.exe (PID: 1116)
      • svchost.exe (PID: 1296)
      • svchost.exe (PID: 1080)
      • svchost.exe (PID: 1356)
      • svchost.exe (PID: 1412)
      • svchost.exe (PID: 1120)
      • svchost.exe (PID: 1456)
      • svchost.exe (PID: 1572)
      • svchost.exe (PID: 1228)
      • svchost.exe (PID: 1680)
      • svchost.exe (PID: 1700)
      • svchost.exe (PID: 1504)
      • upfc.exe (PID: 1708)
      • svchost.exe (PID: 1776)
      • svchost.exe (PID: 1788)
      • svchost.exe (PID: 1976)
      • svchost.exe (PID: 2028)
      • svchost.exe (PID: 1916)
      • svchost.exe (PID: 2236)
      • svchost.exe (PID: 1768)
      • svchost.exe (PID: 2336)
      • svchost.exe (PID: 2020)
      • svchost.exe (PID: 2320)
      • svchost.exe (PID: 2552)
      • svchost.exe (PID: 2568)
      • svchost.exe (PID: 1840)
      • svchost.exe (PID: 2160)
      • svchost.exe (PID: 2328)
      • spoolsv.exe (PID: 2512)
      • svchost.exe (PID: 2576)
      • svchost.exe (PID: 2592)
      • svchost.exe (PID: 2408)
      • svchost.exe (PID: 2560)
      • svchost.exe (PID: 2660)
      • svchost.exe (PID: 2984)
      • svchost.exe (PID: 2696)
      • svchost.exe (PID: 3028)
      • svchost.exe (PID: 3000)
      • svchost.exe (PID: 2928)
      • svchost.exe (PID: 2636)
      • OfficeClickToRun.exe (PID: 3040)
      • svchost.exe (PID: 2976)
      • svchost.exe (PID: 3200)
      • svchost.exe (PID: 3352)
      • svchost.exe (PID: 3372)
      • svchost.exe (PID: 3048)
      • svchost.exe (PID: 2824)
      • svchost.exe (PID: 3772)
      • svchost.exe (PID: 3924)
      • svchost.exe (PID: 4044)
      • svchost.exe (PID: 2152)
      • svchost.exe (PID: 4088)
      • svchost.exe (PID: 4124)
      • svchost.exe (PID: 4240)
      • svchost.exe (PID: 4464)
      • sppsvc.exe (PID: 3640)
      • svchost.exe (PID: 4508)
      • svchost.exe (PID: 4704)
      • svchost.exe (PID: 4644)
      • svchost.exe (PID: 5364)
      • svchost.exe (PID: 5396)
      • cmd.exe (PID: 5988)
      • jusched.exe (PID: 6124)
      • _vrmfzw6_Ei7.exe (PID: 4732)
      • svchost.exe (PID: 5764)
      • svchost.exe (PID: 496)
      • svchost.exe (PID: 2632)
      • svchost.exe (PID: 5784)
      • _vrmfzw6_E.exe (PID: 6124)
      • _vrmfzw6_E.exe (PID: 6396)
      • svchost.exe (PID: 6156)
      • cmd.exe (PID: 6440)
      • jusched.exe (PID: 6116)
      • _vrmfzw6_E.exe (PID: 1056)
      • cmd.exe (PID: 5984)
      • cmd.exe (PID: 3592)
      • _vrmfzw6_E.exe (PID: 4032)

    • The process drops C-runtime libraries

      • powershell.exe (PID: 5460)

    • Reads the time zone

      • svchost.exe (PID: 1296)
      • svchost.exe (PID: 2552)
      • svchost.exe (PID: 3048)

    • Checks supported languages

      • OfficeClickToRun.exe (PID: 3040)
      • jusched.exe (PID: 6124)
      • _vrmfzw6_Ei7.exe (PID: 4732)
      • fodhelper.exe (PID: 5584)
      • _vrmfzw6_E.exe (PID: 6124)
      • _vrmfzw6_Ei7.exe (PID: 5392)
      • _vrmfzw6_E.exe (PID: 6396)
      • jusched.exe (PID: 6116)
      • _vrmfzw6_E.exe (PID: 1056)
      • _vrmfzw6_E.exe (PID: 4032)
      • wbv.exe (PID: 552)
      • wbv.exe (PID: 1376)
      • MicrosoftEdgeUpdate.exe (PID: 6492)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4880)
      • MicrosoftEdgeUpdate.exe (PID: 6012)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6068)
      • MicrosoftEdgeUpdate.exe (PID: 5748)
      • MicrosoftEdgeUpdate.exe (PID: 720)
      • MicrosoftEdgeUpdate.exe (PID: 4432)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2076)
      • setup.exe (PID: 6476)
      • MicrosoftEdgeUpdate.exe (PID: 6244)
      • MicrosoftEdgeWebview_X86_109.0.1518.69.exe (PID: 364)
      • MicrosoftEdgeUpdate.exe (PID: 1788)

    • Reads the computer name

      • OfficeClickToRun.exe (PID: 3040)
      • _vrmfzw6_Ei7.exe (PID: 4732)
      • fodhelper.exe (PID: 5584)
      • _vrmfzw6_Ei7.exe (PID: 5392)
      • _vrmfzw6_E.exe (PID: 6124)
      • _vrmfzw6_E.exe (PID: 6396)
      • _vrmfzw6_E.exe (PID: 1056)
      • _vrmfzw6_E.exe (PID: 4032)
      • MicrosoftEdgeUpdate.exe (PID: 6492)
      • MicrosoftEdgeUpdate.exe (PID: 6012)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4880)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6068)
      • MicrosoftEdgeUpdate.exe (PID: 5748)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2076)
      • MicrosoftEdgeUpdate.exe (PID: 720)
      • MicrosoftEdgeUpdate.exe (PID: 4432)
      • MicrosoftEdgeWebview_X86_109.0.1518.69.exe (PID: 364)
      • MicrosoftEdgeUpdate.exe (PID: 6244)
      • setup.exe (PID: 6476)
      • MicrosoftEdgeUpdate.exe (PID: 1788)

    • Reads Microsoft Office registry keys

      • OfficeClickToRun.exe (PID: 3040)

    • Process checks computer location settings

      • OfficeClickToRun.exe (PID: 3040)
      • _vrmfzw6_Ei7.exe (PID: 4732)
      • fodhelper.exe (PID: 5584)
      • _vrmfzw6_Ei7.exe (PID: 5392)
      • _vrmfzw6_E.exe (PID: 4032)
      • MicrosoftEdgeUpdate.exe (PID: 5748)
      • MicrosoftEdgeUpdate.exe (PID: 6492)

    • Reads CPU info

      • OfficeClickToRun.exe (PID: 3040)
      • _vrmfzw6_E.exe (PID: 6124)
      • _vrmfzw6_E.exe (PID: 1056)

    • Creates files in the program directory

      • svchost.exe (PID: 4644)
      • svchost.exe (PID: 2320)
      • svchost.exe (PID: 5784)
      • _vrmfzw6_E.exe (PID: 4032)
      • MicrosoftEdgeUpdate.exe (PID: 6492)

    • Reads Environment values

      • OfficeClickToRun.exe (PID: 3040)
      • _vrmfzw6_Ei7.exe (PID: 4732)
      • _vrmfzw6_Ei7.exe (PID: 5392)
      • _vrmfzw6_E.exe (PID: 6124)
      • _vrmfzw6_E.exe (PID: 6396)
      • _vrmfzw6_E.exe (PID: 4032)
      • _vrmfzw6_E.exe (PID: 1056)
      • MicrosoftEdgeUpdate.exe (PID: 720)
      • MicrosoftEdgeUpdate.exe (PID: 6492)
      • MicrosoftEdgeUpdate.exe (PID: 6244)
      • MicrosoftEdgeUpdate.exe (PID: 1788)

    • Application launched itself

      • cmd.exe (PID: 5988)
      • cmd.exe (PID: 6440)
      • cmd.exe (PID: 5984)
      • cmd.exe (PID: 3592)

    • Reads the machine GUID from the registry

      • _vrmfzw6_E.exe (PID: 6124)
      • _vrmfzw6_E.exe (PID: 6396)
      • OfficeClickToRun.exe (PID: 3040)
      • _vrmfzw6_E.exe (PID: 1056)
      • _vrmfzw6_E.exe (PID: 4032)
      • MicrosoftEdgeUpdate.exe (PID: 6492)

    • Reads mouse settings

      • _vrmfzw6_E.exe (PID: 6124)
      • _vrmfzw6_E.exe (PID: 6396)
      • _vrmfzw6_E.exe (PID: 1056)
      • _vrmfzw6_E.exe (PID: 4032)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6112)
      • _vrmfzw6_E.exe (PID: 4032)
      • MicrosoftEdgeUpdate.exe (PID: 5748)
      • MicrosoftEdgeWebview_X86_109.0.1518.69.exe (PID: 364)
      • setup.exe (PID: 6476)

    • Create files in a temporary directory

      • wbv.exe (PID: 1376)
      • wbv.exe (PID: 552)
      • MicrosoftEdgeUpdate.exe (PID: 5748)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 5748)
      • MicrosoftEdgeUpdate.exe (PID: 6492)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
446
Monitored processes
140
Malicious processes
9
Suspicious processes
3

Behavior graph

Click at the process to see the details
start start wscript.exe powershell.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe slui.exe no specs shutdown.exe no specs svchost.exe no specs svchost.exe svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs upfc.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs taskhostw.exe no specs spoolsv.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs officeclicktorun.exe svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs sppsvc.exe no specs svchost.exe no specs svchost.exe no specs sihost.exe no specs svchost.exe no specs svchost.exe no specs taskhostw.exe no specs svchost.exe no specs taskhostw.exe no specs svchost.exe no specs ctfmon.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe svchost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs powershell.exe jusched.exe no specs _vrmfzw6_ei7.exe conhost.exe no specs svchost.exe no specs consent.exe no specs fodhelper.exe svchost.exe no specs svchost.exe no specs werfault.exe no specs werfault.exe _vrmfzw6_e.exe _vrmfzw6_ei7.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs svchost.exe no specs _vrmfzw6_e.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs powershell.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs bcdedit.exe no specs reg.exe no specs reg.exe no specs shutdown.exe no specs cmd.exe no specs conhost.exe no specs bcdedit.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs powershell.exe jusched.exe no specs _vrmfzw6_e.exe _vrmfzw6_e.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs powershell.exe wbv.exe no specs wbv.exe no specs microsoftedgeupdate.exe no specs microsoftedgeupdate.exe no specs microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe wermgr.exe microsoftedgewebview_x86_109.0.1518.69.exe no specs setup.exe no specs microsoftedgeupdate.exe

Process information

PID
CMD
Path
Indicators
Parent process
364"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{12D658CC-53A3-47BB-A3F1-F22F4BCDC80B}\MicrosoftEdgeWebview_X86_109.0.1518.69.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --user-levelC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{12D658CC-53A3-47BB-A3F1-F22F4BCDC80B}\MicrosoftEdgeWebview_X86_109.0.1518.69.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Installer
Exit code:
0
Version:
109.0.1518.69
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\install\{12d658cc-53a3-47bb-a3f1-f22f4bcdc80b}\microsoftedgewebview_x86_109.0.1518.69.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\msvcp_win.dll
496C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s AppinfoC:\Windows\System32\svchost.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
552"C:\ProgramData\wbv.exe" /silent /installC:\ProgramData\wbv.exe_vrmfzw6_E.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update Setup
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\programdata\wbv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
720"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMCIgc2Vzc2lvbmlkPSJ7NjZBMjM3RjktQTUzQS00MEQ2LUJBREItMTlCQjJFNUE2MjhGfSIgdXNlcmlkPSJ7NzAyMDBBNTUtNURCMC00NzQ4LTlDQ0ItNUMwNDU0QzE2OTNBfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins0RjZCNzU4MS03MTFDLTQ4MjQtQTUxNy1DMEQxNkEyRUZBRTR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ0LjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREVMTCIgcHJvZHVjdF9uYW1lPSJERUxMIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE3MS4zOSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMjAzMzU0MDEyMCIgaW5zdGFsbF90aW1lX21zPSIzOTMiLz48L2FwcD48L3JlcXVlc3Q-C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.171.39
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
896taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}C:\Windows\System32\taskhostw.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskhostw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
1056"C:\_vrmfzw6_E\_vrmfzw6_E.exe" C:\_vrmfzw6_E\_vrmfzw6_E.atC:\_vrmfzw6_E\_vrmfzw6_E.exe
explorer.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 14, 5
Modules
Images
c:\_vrmfzw6_e\_vrmfzw6_e.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\psapi.dll
c:\windows\syswow64\user32.dll
1064\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe_vrmfzw6_Ei7.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1072C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s gpsvcC:\Windows\System32\svchost.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
1080C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s DsmSvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
1116C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork -pC:\Windows\System32\svchost.exeservices.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
Total events
92 550
Read events
91 834
Write events
630
Delete events
86

Modification events

(PID) Process:(1260) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1260) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1260) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1260) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1260) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1260) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1072) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0
Operation:writeName:szName
Value:
DESKTOP-JGLLJLD
(PID) Process:(1072) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0
Operation:writeName:szTargetName
Value:
DESKTOP-JGLLJLD
(PID) Process:(1072) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Shadow\{9650FDBC-053A-4715-AD14-FC2DC65E8330}
Operation:delete keyName:(default)
Value:
(PID) Process:(1072) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Shadow\{9650FDBC-053A-4715-AD14-FC2DC65E8330}\0
Operation:delete keyName:(default)
Value:
Executable files
317
Suspicious files
72
Text files
50
Unknown types
2

Dropped files

PID
Process
Filename
Type
5460powershell.exeC:\_vrmfzw6_E\6.txt
MD5:
SHA256:
1260wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2CD1F910DD5DC23C234E99A91DE345C0binary
MD5:6A68356AF9EEC3F2FC609383E849E982
SHA256:73AE21E8D4115D82B30AF0F2B3E8EE4C28F47B746DF392A39E2973AC791CD07F
5460powershell.exeC:\_vrmfzw6_E\at.txt
MD5:
SHA256:
1260wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A583E2A51BFBDC1E492A57B7C8325850der
MD5:BB4A853340557135BC2CB0BBE27A54AD
SHA256:FD5FE2BCCB5AEB89D438EC681F0E907AF9341F792D04B047854D149190DB7A5A
5460powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_awcnyue1.ghp.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5460powershell.exeC:\Windows \System32\fodhelper.exeexecutable
MD5:85018BE1FD913656BC9FF541F017EACD
SHA256:C546E05D705FFDD5E1E18D40E2E7397F186A7C47FA5FC21F234222D057227CF5
1260wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:420652501F25220287FA2F6B65C0AFE2
SHA256:1259F12CE6223074966CD57A97425270208F9C428D7F0199567ABCB4F20A0E4C
5460powershell.exeC:\users\public\DESKTOP-JGLLJLD_vrmfzw6_E.cmdtext
MD5:85683042BD6C4E919E2AFE791F66AD7E
SHA256:511E44A4E90A5003745B18F0C9C34FBB7FBFEEAF3E1E3BDCE40E84A2F28B128A
5460powershell.exeC:\_vrmfzw6_E\jli.txt
MD5:
SHA256:
1260wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2CD1F910DD5DC23C234E99A91DE345C0binary
MD5:F65A6F6125B3B4CAC492FE2A84F5693B
SHA256:B4F4E93F82497C72855D8F3C06D6F261FE4B78837D72C63350D520F26F10C59D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
39
TCP/UDP connections
120
DNS requests
66
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1260
wscript.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
binary
824 b
unknown
1260
wscript.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl
unknown
binary
564 b
unknown
1260
wscript.exe
POST
200
38.54.20.37:80
http://jan.viewdns.net/08/?=
unknown
text
309 b
unknown
5460
powershell.exe
GET
200
38.54.20.37:80
http://38.54.20.37/08/08
unknown
text
21.6 Kb
unknown
5028
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D
unknown
binary
313 b
unknown
1232
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
1092
svchost.exe
POST
302
23.32.186.57:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
1092
svchost.exe
POST
302
23.32.186.57:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
6344
SIHClient.exe
GET
200
72.246.169.155:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
binary
418 b
unknown
6344
SIHClient.exe
GET
200
72.246.169.155:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
binary
409 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1260
wscript.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1260
wscript.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
1260
wscript.exe
38.54.20.37:80
jan.viewdns.net
COGENT-174
US
unknown
5460
powershell.exe
38.54.20.37:80
jan.viewdns.net
COGENT-174
US
unknown
3720
svchost.exe
239.255.255.250:1900
whitelisted
5548
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5612
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5460
powershell.exe
162.125.72.18:443
www.dropbox.com
DROPBOX
US
unknown
1232
svchost.exe
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
1232
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
jan.viewdns.net
  • 38.54.20.37
unknown
www.dropbox.com
  • 162.125.72.18
shared
login.live.com
  • 40.126.32.133
  • 40.126.32.140
  • 20.190.160.14
  • 20.190.160.20
  • 40.126.32.76
  • 40.126.32.74
  • 40.126.32.138
  • 20.190.160.22
  • 20.190.159.68
  • 20.190.159.73
  • 20.190.159.64
  • 20.190.159.71
  • 20.190.159.4
  • 40.126.31.73
  • 20.190.159.23
  • 40.126.31.71
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.bing.com
  • 2.20.142.162
  • 92.122.215.98
  • 92.122.215.56
  • 2.20.142.186
  • 92.122.215.74
  • 2.20.142.3
  • 2.20.142.185
  • 2.20.142.251
  • 92.122.215.95
  • 104.126.37.161
  • 104.126.37.170
  • 104.126.37.153
  • 104.126.37.163
  • 104.126.37.139
  • 104.126.37.185
  • 104.126.37.171
  • 104.126.37.184
  • 104.126.37.155
  • 104.126.37.123
  • 104.126.37.177
  • 104.126.37.130
  • 104.126.37.186
  • 104.126.37.131
  • 104.126.37.136
whitelisted
uc6cfd7aae40460f3b3681ad713c.dl.dropboxusercontent.com
  • 162.125.72.15
unknown
go.microsoft.com
  • 23.32.186.57
  • 23.35.238.131
whitelisted
dmd.metaservices.microsoft.com
  • 20.231.121.79
  • 138.91.171.81
  • 52.142.223.178
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
slscr.update.microsoft.com
  • 40.68.123.157
whitelisted

Threats

PID
Process
Class
Message
2136
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.viewdns .net
1260
wscript.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.viewdns .net Domain
5460
powershell.exe
Potential Corporate Privacy Violation
ET POLICY Dropbox.com Offsite File Backup in Use
1260
wscript.exe
A Network Trojan was detected
SUSPICIOUS [ANY.RUN] VBS is used to run Shell
1260
wscript.exe
Potentially Bad Traffic
ET HUNTING PowerShell DownloadString Command Common In Powershell Stagers
5460
powershell.exe
A Network Trojan was detected
LOADER [ANY.RUN] Casbaneiro
5460
powershell.exe
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] Decoding FromBase64 HTTP URI String
5460
powershell.exe
Misc activity
ET INFO DropBox User Content Download Access over SSL M2
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Adjuntos-cfdi-kvtbj_9ldU_(811313).PDF.vbs