File name:

tav.bat

Full analysis: https://app.any.run/tasks/13213a1a-56b7-4f8e-8e41-f92fff82a5a4
Verdict: Malicious activity
Analysis date: April 29, 2025, 06:35:03
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-doc
Indicators:
MIME: text/plain
File info: Unicode text, UTF-16, little-endian text, with very long lines (21538), with no line terminators
MD5:

F8569D38BB167E5A804A5AE98DB12332

SHA1:

46776BA3390CA7530E95B5CD125391DC8C0AE354

SHA256:

1C716C76FAC6F65556D1491042941411DEA90E37903CED1BCBD018B0B52CBC72

SSDEEP:

192:XNFT+mjjXbwiu+Nc6UoOtOB7vg+USBSLBBg8ccyTAFnfcXLSWAyDeeSHRS8S4OUP:hcMOIt0nKFtn5n1nfl/nc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6044)

    • Antivirus name has been found in the command line (generic signature)

      • find.exe (PID: 2152)
      • tasklist.exe (PID: 6872)
      • tasklist.exe (PID: 920)
      • find.exe (PID: 2284)

  • SUSPICIOUS

    • Starts process via Powershell

      • powershell.exe (PID: 6044)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4448)
      • cmd.exe (PID: 5892)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 6044)

    • Get information on the list of running processes

      • cmd.exe (PID: 5892)

    • Executing commands from a ".bat" file

      • powershell.exe (PID: 6044)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6272)

    • The process executes via Task Scheduler

      • SecureBootEncodeUEFI.exe (PID: 656)
      • PLUGScheduler.exe (PID: 3720)

    • Process drops python dynamic module

      • powershell.exe (PID: 4724)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 4724)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 4724)

  • INFO

    • Disables trace logs

      • powershell.exe (PID: 6272)

    • Checks proxy server information

      • slui.exe (PID: 5964)
      • powershell.exe (PID: 6272)

    • Reads the software policy settings

      • slui.exe (PID: 5964)
      • slui.exe (PID: 3676)

    • Creates files in the program directory

      • PLUGScheduler.exe (PID: 3720)

    • Reads the computer name

      • PLUGScheduler.exe (PID: 3720)

    • Encodes the UEFI Secure Boot certificates

      • SecureBootEncodeUEFI.exe (PID: 656)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4724)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 4724)

    • The sample compiled with english language support

      • powershell.exe (PID: 4724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.txt | Text - UTF-16 (LE) encoded (66.6)
.mp3 | MP3 audio (33.3)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
299
Monitored processes
22
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs powershell.exe no specs sppextcomobj.exe no specs slui.exe cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs tasklist.exe no specs find.exe no specs powershell.exe svchost.exe slui.exe powershell.exe plugscheduler.exe no specs securebootencodeuefi.exe no specs conhost.exe no specs ucpdmgr.exe no specs conhost.exe no specs ucpdmgr.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
656"C:\WINDOWS\system32\SecureBootEncodeUEFI.exe"C:\Windows\System32\SecureBootEncodeUEFI.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Secure Boot UEFI Encoder
Exit code:
3221225728
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\securebootencodeuefi.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
916\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSecureBootEncodeUEFI.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
920tasklist /FI "IMAGENAME eq AvastUI.exe" C:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1300C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
1872"C:\WINDOWS\system32\UCPDMgr.exe"C:\Windows\System32\UCPDMgr.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
User Choice Protection Manager
Exit code:
0
Version:
1.0.0.414301
Modules
Images
c:\windows\system32\ucpdmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2152find /i "AvastUI.exe" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (grep) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2284find /i "avgui.exe" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (grep) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
2760"C:\WINDOWS\system32\UCPDMgr.exe"C:\Windows\System32\UCPDMgr.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
User Choice Protection Manager
Exit code:
0
Version:
1.0.0.414301
Modules
Images
c:\windows\system32\ucpdmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
3676"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
20 946
Read events
20 946
Write events
0
Delete events
0

Modification events

No data
Executable files
41
Suspicious files
177
Text files
878
Unknown types
0

Dropped files

PID
Process
Filename
Type
6272powershell.exeC:\Users\admin\Downloads\downloaded.zip
MD5:
SHA256:
4724powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_v5rgoxtz.lxb.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4724powershell.exeC:\Users\admin\Downloads\Extracted\Python\Launcher\py.exeexecutable
MD5:79EAE4FA8DD7E1CA489E59AB19B4FBED
SHA256:E52553F941CEB9E715D239E7A211501CE5D6096EEEB90FB161B7BFEDF6A61DAB
4724powershell.exeC:\Users\admin\Downloads\Extracted\Python\Python312\DLLs\_ctypes.pydexecutable
MD5:BBD5533FC875A4A075097A7C6ABA865E
SHA256:BE9828A877E412B48D75ADDC4553D2D2A60AE762A3551F9731B50CAE7D65B570
4724powershell.exeC:\Users\admin\Downloads\Extracted\Python\Python312\DLLs\_ctypes_test.pydexecutable
MD5:DE7F1806F2B9154850C69A7D91131F44
SHA256:F24A4A747D4384AF7D7716CEF4DE8B161F905FEE65D473828D66E97ADC7A92C4
4724powershell.exeC:\Users\admin\Downloads\Extracted\Python\Launcher\pyshellext.amd64.dllexecutable
MD5:740DCC24BA59F6205DE3D5C5575A19A7
SHA256:6A4A987548A8FA13C8678FDAE921C2084A92048E6002400D5C48D695C502E0BD
4724powershell.exeC:\Users\admin\Downloads\Extracted\Python\Python312\DLLs\_decimal.pydexecutable
MD5:3055EDF761508190B576E9BF904003AA
SHA256:E4104E47399D3F635A14D649F61250E9FD37F7E65C81FFE11F099923F8532577
4724powershell.exeC:\Users\admin\Downloads\Extracted\Python\Launcher\pyw.exeexecutable
MD5:789952F58D76B2F41E8EADD9FAE66906
SHA256:3C92D3E88C5B9DB5D0E655F72E20682B43C5E96CB939C0C7576883A10ADE18FD
4724powershell.exeC:\Users\admin\Downloads\Extracted\Python\Python312\DLLs\_multiprocessing.pydexecutable
MD5:A4281E383EF82C482C8BDA50504BE04A
SHA256:467B0FEF42D70B55ABF41D817DFF7631FAEEF84DCE64F8AADB5690A22808D40C
4724powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rudldh0n.rly.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
248
TCP/UDP connections
145
DNS requests
40
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5592
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
GET
304
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
GET
200
20.242.39.171:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
unknown
5592
SIHClient.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5592
SIHClient.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5592
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5592
SIHClient.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
GET
200
4.175.87.197:443
https://slscr.update.microsoft.com/sls/ping
unknown
unknown
GET
304
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
GET
304
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6272
powershell.exe
104.16.231.132:443
watershed-oc-microwave-invite.trycloudflare.com
CLOUDFLARENET
whitelisted
6544
svchost.exe
20.190.160.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.142
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
  • 172.211.123.249
whitelisted
watershed-oc-microwave-invite.trycloudflare.com
  • 104.16.231.132
  • 104.16.230.132
whitelisted
login.live.com
  • 20.190.160.4
  • 40.126.32.68
  • 40.126.32.138
  • 20.190.160.64
  • 40.126.32.136
  • 40.126.32.140
  • 40.126.32.133
  • 20.190.160.14
  • 20.190.160.5
  • 20.190.160.66
  • 20.190.160.3
  • 20.190.160.67
  • 20.190.160.22
  • 40.126.32.76
  • 40.126.32.72
  • 20.190.160.20
  • 20.190.160.131
  • 20.190.160.132
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
6272
powershell.exe
Misc activity
ET HUNTING TryCloudFlare Domain in TLS SNI
6272
powershell.exe
Misc activity
ET INFO Observed trycloudflare .com Domain in TLS SNI
2196
svchost.exe
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] Cloudflare Tunnel (TryCloudflare)
2196
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
tav.bat