File name:

~.tmp

Full analysis: https://app.any.run/tasks/133e48d3-65b8-456d-9f89-66ef922c73dd
Verdict: Malicious activity
Analysis date: April 15, 2025, 17:10:59
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
lua
Indicators:
MIME: text/plain
File info: Unicode text, UTF-16, little-endian text, with very long lines (8696), with CRLF line terminators
MD5:

1DDAB156B9FD709FF8FE61FFA2AFB789

SHA1:

F3626FDAB000C6C634569B95683FD8CF1B2934BB

SHA256:

290863999FD0713841DD7CE2BEC725CEE3F5A467A5DE00F819B2471867BFB105

SSDEEP:

1536:x0Y6Iij7lm5LxFAHUhpDqxVsOca0GrcFvQYfpy7zdz3G4GD4IuaIJ7fJpZycaCT2:x+KUzxJ3qNRYGr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 1184)
      • wscript.exe (PID: 5576)

    • Creates a new folder (SCRIPT)

      • wscript.exe (PID: 1184)
      • wscript.exe (PID: 5576)

    • Copies file to a new location (SCRIPT)

      • wscript.exe (PID: 1184)
      • wscript.exe (PID: 5576)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • vlc.exe (PID: 7476)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 1184)
      • wscript.exe (PID: 5576)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 1184)
      • wscript.exe (PID: 5576)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 1184)
      • wscript.exe (PID: 5576)

    • Executes application which crashes

      • wscript.exe (PID: 1184)
      • wscript.exe (PID: 5576)

    • The process creates files with name similar to system file names

      • WerFault.exe (PID: 5308)
      • WerFault.exe (PID: 6516)

  • INFO

    • Checks supported languages

      • vlc.exe (PID: 7476)

    • Reads the computer name

      • vlc.exe (PID: 7476)

    • The process uses Lua

      • vlc.exe (PID: 7476)

    • Reads the software policy settings

      • slui.exe (PID: 7660)
      • slui.exe (PID: 7264)

    • Manual execution by a user

      • cmd.exe (PID: 5404)
      • cmd.exe (PID: 5528)
      • cmd.exe (PID: 2148)
      • cmd.exe (PID: 7968)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 5308)
      • WerFault.exe (PID: 6516)

    • Checks proxy server information

      • slui.exe (PID: 7264)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.txt | Text - UTF-16 (LE) encoded (66.6)
.mp3 | MP3 audio (33.3)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
153
Monitored processes
17
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start vlc.exe no specs sppextcomobj.exe no specs slui.exe rundll32.exe no specs slui.exe cmd.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs wscript.exe werfault.exe no specs cmd.exe no specs conhost.exe no specs wscript.exe werfault.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1184wscript.exe //e:vbscript ~.tmpC:\Windows\System32\wscript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
3221225477
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2148"C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\wldp.dll
2392\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3240\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5308C:\WINDOWS\system32\WerFault.exe -u -p 1184 -s 1088C:\Windows\System32\WerFault.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
5404"C:\WINDOWS\System32\cmd.exe" /C "C:\Users\admin\AppData\Local\Temp\~.bat" C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
5528C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\~.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
5576wscript.exe //e:vbscript ~.tmpC:\Windows\System32\wscript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
3221225477
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6388\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6516C:\WINDOWS\system32\WerFault.exe -u -p 5576 -s 1056C:\Windows\System32\WerFault.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
Total events
6 003
Read events
6 003
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
6
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
5308WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_wscript.exe_158a35e2ae135cb5cc23185ec7683ce9a8c4ad0_2a4c609f_0db6b573-0cae-4e2b-b786-060c58d8f646\Report.wer
MD5:
SHA256:
6516WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_wscript.exe_158a35e2ae135cb5cc23185ec7683ce9a8c4ad0_2a4c609f_3ff2ee79-300d-45b8-84f1-77d4ea083d5e\Report.wer
MD5:
SHA256:
5308WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER94B8.tmp.xmlxml
MD5:5CD313A68D0F6C1F8936335959803C3D
SHA256:D1553CE0D6A877D02E83DE08F805A01C9FB6EF944B91607BBD98CF2886CECEB5
5308WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER93AD.tmp.dmpbinary
MD5:9D8FC5480647435ACCEFFE01E5073928
SHA256:F9D2A45A1AEDBB35EA8EDB6122D9A28F4EA75906A9900F97B6E3DD3C73AA3F52
6516WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERA278.tmp.dmpbinary
MD5:FCB95ECF19EB373EECCBA1A160BD9974
SHA256:D428AB6DD081C30B8D285195DD0DD3497E7C339E508AE33860569F7075ABEF6E
1184wscript.exeC:\Users\admin\AppData\Roaming\~.tmptext
MD5:1DDAB156B9FD709FF8FE61FFA2AFB789
SHA256:290863999FD0713841DD7CE2BEC725CEE3F5A467A5DE00F819B2471867BFB105
5308WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\wscript.exe.1184.dmpbinary
MD5:54F3CBBF61C211186602BCAD4D3BFFDD
SHA256:F5512556C9B5E5B66FDB70B0CA6B96274B26651D267A9AB33053DA31DAA877F6
5308WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER94A8.tmp.WERInternalMetadata.xmlbinary
MD5:FBBC7E85F2D0D3FE2697C3A6F87A81FC
SHA256:428C00D949B51FECD85CDF8768FF67CF8A38C5C0862DA287174A3013C8BB2F07
7476vlc.exeC:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.initext
MD5:B3CA23F00CA5AE7C23D201028FD35F07
SHA256:129881635A9977A861E1EC021954D73D83B20DA24EB3DF977F7F6C538433D90F
7476vlc.exeC:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.ini.locktext
MD5:F7B58A499AB3777D121CA270B37BBD21
SHA256:D2029538E38B6350289DA60A92BED966FE21DC82126E0F19E71D444F12CE82F5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
22
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7316
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7316
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.129:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7316
SIHClient.exe
172.202.163.200:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
7316
SIHClient.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.19.11.105
  • 2.19.11.120
whitelisted
google.com
  • 142.250.184.206
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.31.129
  • 40.126.31.67
  • 40.126.31.71
  • 20.190.159.73
  • 40.126.31.69
  • 20.190.159.71
  • 20.190.159.75
  • 20.190.159.64
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
~.tmp