File name:

~.tmp

Full analysis: https://app.any.run/tasks/133e48d3-65b8-456d-9f89-66ef922c73dd
Verdict: Malicious activity
Analysis date: April 15, 2025, 17:10:59
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
lua
Indicators:
MIME: text/plain
File info: Unicode text, UTF-16, little-endian text, with very long lines (8696), with CRLF line terminators
MD5:

1DDAB156B9FD709FF8FE61FFA2AFB789

SHA1:

F3626FDAB000C6C634569B95683FD8CF1B2934BB

SHA256:

290863999FD0713841DD7CE2BEC725CEE3F5A467A5DE00F819B2471867BFB105

SSDEEP:

1536:x0Y6Iij7lm5LxFAHUhpDqxVsOca0GrcFvQYfpy7zdz3G4GD4IuaIJ7fJpZycaCT2:x+KUzxJ3qNRYGr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 1184)
      • wscript.exe (PID: 5576)

    • Copies file to a new location (SCRIPT)

      • wscript.exe (PID: 1184)
      • wscript.exe (PID: 5576)

    • Creates a new folder (SCRIPT)

      • wscript.exe (PID: 5576)
      • wscript.exe (PID: 1184)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • vlc.exe (PID: 7476)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 1184)
      • wscript.exe (PID: 5576)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 1184)
      • wscript.exe (PID: 5576)

    • Executes application which crashes

      • wscript.exe (PID: 1184)
      • wscript.exe (PID: 5576)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 5576)
      • wscript.exe (PID: 1184)

    • The process creates files with name similar to system file names

      • WerFault.exe (PID: 5308)
      • WerFault.exe (PID: 6516)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 2148)
      • cmd.exe (PID: 5404)
      • cmd.exe (PID: 5528)
      • cmd.exe (PID: 7968)

    • Reads the computer name

      • vlc.exe (PID: 7476)

    • Reads the software policy settings

      • slui.exe (PID: 7660)
      • slui.exe (PID: 7264)

    • The process uses Lua

      • vlc.exe (PID: 7476)

    • Checks supported languages

      • vlc.exe (PID: 7476)

    • Checks proxy server information

      • slui.exe (PID: 7264)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 5308)
      • WerFault.exe (PID: 6516)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.txt | Text - UTF-16 (LE) encoded (66.6)
.mp3 | MP3 audio (33.3)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
153
Monitored processes
17
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start vlc.exe no specs sppextcomobj.exe no specs slui.exe rundll32.exe no specs slui.exe cmd.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs wscript.exe werfault.exe no specs cmd.exe no specs conhost.exe no specs wscript.exe werfault.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1184wscript.exe //e:vbscript ~.tmpC:\Windows\System32\wscript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
3221225477
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2148"C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\wldp.dll
2392\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3240\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5308C:\WINDOWS\system32\WerFault.exe -u -p 1184 -s 1088C:\Windows\System32\WerFault.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
5404"C:\WINDOWS\System32\cmd.exe" /C "C:\Users\admin\AppData\Local\Temp\~.bat" C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
5528C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\~.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
5576wscript.exe //e:vbscript ~.tmpC:\Windows\System32\wscript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
3221225477
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6388\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6516C:\WINDOWS\system32\WerFault.exe -u -p 5576 -s 1056C:\Windows\System32\WerFault.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
Total events
6 003
Read events
6 003
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
6
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
5308WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_wscript.exe_158a35e2ae135cb5cc23185ec7683ce9a8c4ad0_2a4c609f_0db6b573-0cae-4e2b-b786-060c58d8f646\Report.wer
MD5:
SHA256:
6516WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_wscript.exe_158a35e2ae135cb5cc23185ec7683ce9a8c4ad0_2a4c609f_3ff2ee79-300d-45b8-84f1-77d4ea083d5e\Report.wer
MD5:
SHA256:
7476vlc.exeC:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.initext
MD5:B3CA23F00CA5AE7C23D201028FD35F07
SHA256:129881635A9977A861E1EC021954D73D83B20DA24EB3DF977F7F6C538433D90F
7476vlc.exeC:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.ini.locktext
MD5:F7B58A499AB3777D121CA270B37BBD21
SHA256:D2029538E38B6350289DA60A92BED966FE21DC82126E0F19E71D444F12CE82F5
5308WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\wscript.exe.1184.dmpbinary
MD5:54F3CBBF61C211186602BCAD4D3BFFDD
SHA256:F5512556C9B5E5B66FDB70B0CA6B96274B26651D267A9AB33053DA31DAA877F6
6516WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERA306.tmp.WERInternalMetadata.xmlbinary
MD5:E89D7616FB8F2930F921C8D7B619AEEE
SHA256:E8E607FB6B910409B0DED6D1657507B63E8F85CCE7560063BC615796FB5B0B9B
1184wscript.exeC:\Users\admin\AppData\Roaming\~.tmptext
MD5:1DDAB156B9FD709FF8FE61FFA2AFB789
SHA256:290863999FD0713841DD7CE2BEC725CEE3F5A467A5DE00F819B2471867BFB105
5308WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER94A8.tmp.WERInternalMetadata.xmlbinary
MD5:FBBC7E85F2D0D3FE2697C3A6F87A81FC
SHA256:7F808DE4590A340EC0148E11D222E80840198EC7BDE46C2E078465A43AB52008
6516WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERA326.tmp.xmlxml
MD5:8C6A3DA193B15CA8368D680329DD265D
SHA256:270D01B883542182A43505D6124A51939EF5DDFADBD0477E7533D83FBB776F47
7476vlc.exeC:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.ini.oS7476text
MD5:B3CA23F00CA5AE7C23D201028FD35F07
SHA256:129881635A9977A861E1EC021954D73D83B20DA24EB3DF977F7F6C538433D90F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
22
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7316
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7316
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.129:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7316
SIHClient.exe
172.202.163.200:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
7316
SIHClient.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.19.11.105
  • 2.19.11.120
whitelisted
google.com
  • 142.250.184.206
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.31.129
  • 40.126.31.67
  • 40.126.31.71
  • 20.190.159.73
  • 40.126.31.69
  • 20.190.159.71
  • 20.190.159.75
  • 20.190.159.64
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info