File name:

tav.bat

Full analysis: https://app.any.run/tasks/13213a1a-56b7-4f8e-8e41-f92fff82a5a4
Verdict: Malicious activity
Analysis date: April 29, 2025, 06:35:03
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-doc
Indicators:
MIME: text/plain
File info: Unicode text, UTF-16, little-endian text, with very long lines (21538), with no line terminators
MD5:

F8569D38BB167E5A804A5AE98DB12332

SHA1:

46776BA3390CA7530E95B5CD125391DC8C0AE354

SHA256:

1C716C76FAC6F65556D1491042941411DEA90E37903CED1BCBD018B0B52CBC72

SSDEEP:

192:XNFT+mjjXbwiu+Nc6UoOtOB7vg+USBSLBBg8ccyTAFnfcXLSWAyDeeSHRS8S4OUP:hcMOIt0nKFtn5n1nfl/nc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6044)

    • Antivirus name has been found in the command line (generic signature)

      • tasklist.exe (PID: 920)
      • find.exe (PID: 2152)
      • find.exe (PID: 2284)
      • tasklist.exe (PID: 6872)

  • SUSPICIOUS

    • Starts process via Powershell

      • powershell.exe (PID: 6044)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 6044)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4448)
      • cmd.exe (PID: 5892)

    • Executing commands from a ".bat" file

      • powershell.exe (PID: 6044)

    • Get information on the list of running processes

      • cmd.exe (PID: 5892)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6272)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 4724)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 4724)

    • Process drops python dynamic module

      • powershell.exe (PID: 4724)

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 3720)
      • SecureBootEncodeUEFI.exe (PID: 656)

  • INFO

    • Disables trace logs

      • powershell.exe (PID: 6272)

    • Checks proxy server information

      • powershell.exe (PID: 6272)
      • slui.exe (PID: 5964)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 4724)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4724)

    • Reads the software policy settings

      • slui.exe (PID: 3676)
      • slui.exe (PID: 5964)

    • The sample compiled with english language support

      • powershell.exe (PID: 4724)

    • Creates files in the program directory

      • PLUGScheduler.exe (PID: 3720)

    • Encodes the UEFI Secure Boot certificates

      • SecureBootEncodeUEFI.exe (PID: 656)

    • Reads the computer name

      • PLUGScheduler.exe (PID: 3720)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.txt | Text - UTF-16 (LE) encoded (66.6)
.mp3 | MP3 audio (33.3)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
299
Monitored processes
22
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs powershell.exe no specs sppextcomobj.exe no specs slui.exe cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs tasklist.exe no specs find.exe no specs powershell.exe svchost.exe slui.exe powershell.exe plugscheduler.exe no specs securebootencodeuefi.exe no specs conhost.exe no specs ucpdmgr.exe no specs conhost.exe no specs ucpdmgr.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
656"C:\WINDOWS\system32\SecureBootEncodeUEFI.exe"C:\Windows\System32\SecureBootEncodeUEFI.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Secure Boot UEFI Encoder
Exit code:
3221225728
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\securebootencodeuefi.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
916\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSecureBootEncodeUEFI.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
920tasklist /FI "IMAGENAME eq AvastUI.exe" C:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1300C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
1872"C:\WINDOWS\system32\UCPDMgr.exe"C:\Windows\System32\UCPDMgr.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
User Choice Protection Manager
Exit code:
0
Version:
1.0.0.414301
Modules
Images
c:\windows\system32\ucpdmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2152find /i "AvastUI.exe" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (grep) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2284find /i "avgui.exe" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (grep) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
2760"C:\WINDOWS\system32\UCPDMgr.exe"C:\Windows\System32\UCPDMgr.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
User Choice Protection Manager
Exit code:
0
Version:
1.0.0.414301
Modules
Images
c:\windows\system32\ucpdmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
3676"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
20 946
Read events
20 946
Write events
0
Delete events
0

Modification events

No data
Executable files
41
Suspicious files
177
Text files
878
Unknown types
0

Dropped files

PID
Process
Filename
Type
6272powershell.exeC:\Users\admin\Downloads\downloaded.zip
MD5:
SHA256:
6044powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_slw5zl5n.3na.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6044powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:5D0C680552C3C15C0B028EA6A43A1617
SHA256:A64B72DDE154C6B7639726DB39A9A4D41F8BBA0818CD5C6447B24EA6361458A5
4724powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rudldh0n.rly.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4724powershell.exeC:\Users\admin\Downloads\Extracted\Python\Python312\DLLs\_asyncio.pydexecutable
MD5:28D2A0405BE6DE3D168F28109030130C
SHA256:2DFCAEC25DE17BE21F91456256219578EAE9A7AEC5D21385DEC53D0840CF0B8D
4724powershell.exeC:\Users\admin\Downloads\Extracted\Python\Launcher\pyshellext.amd64.dllexecutable
MD5:740DCC24BA59F6205DE3D5C5575A19A7
SHA256:6A4A987548A8FA13C8678FDAE921C2084A92048E6002400D5C48D695C502E0BD
4724powershell.exeC:\Users\admin\Downloads\Extracted\Python\Python312\DLLs\_ctypes_test.pydexecutable
MD5:DE7F1806F2B9154850C69A7D91131F44
SHA256:F24A4A747D4384AF7D7716CEF4DE8B161F905FEE65D473828D66E97ADC7A92C4
6272powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_151uxeye.kpv.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6044powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vhp5l3tf.dla.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4724powershell.exeC:\Users\admin\Downloads\Extracted\Python\Python312\DLLs\_elementtree.pydexecutable
MD5:B479ED301E990690A30FC855E6B45F94
SHA256:0C488E6883A70CD54A71A9E28796F87EF6CC0D288260A965CBB24BF1D7309A20
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
248
TCP/UDP connections
145
DNS requests
40
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5592
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5592
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5592
SIHClient.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
5592
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
5592
SIHClient.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5592
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5592
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
GET
200
20.242.39.171:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
5592
SIHClient.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6272
powershell.exe
104.16.231.132:443
watershed-oc-microwave-invite.trycloudflare.com
CLOUDFLARENET
whitelisted
6544
svchost.exe
20.190.160.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.142
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
  • 172.211.123.249
whitelisted
watershed-oc-microwave-invite.trycloudflare.com
  • 104.16.231.132
  • 104.16.230.132
whitelisted
login.live.com
  • 20.190.160.4
  • 40.126.32.68
  • 40.126.32.138
  • 20.190.160.64
  • 40.126.32.136
  • 40.126.32.140
  • 40.126.32.133
  • 20.190.160.14
  • 20.190.160.5
  • 20.190.160.66
  • 20.190.160.3
  • 20.190.160.67
  • 20.190.160.22
  • 40.126.32.76
  • 40.126.32.72
  • 20.190.160.20
  • 20.190.160.131
  • 20.190.160.132
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
6272
powershell.exe
Misc activity
ET HUNTING TryCloudFlare Domain in TLS SNI
6272
powershell.exe
Misc activity
ET INFO Observed trycloudflare .com Domain in TLS SNI
2196
svchost.exe
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] Cloudflare Tunnel (TryCloudflare)
2196
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
tav.bat