File name:

~.tmp

Full analysis: https://app.any.run/tasks/f59dc4ce-ec68-4196-828d-7ab5f5bb9574
Verdict: Malicious activity
Analysis date: April 15, 2025, 17:22:10
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
lua
Indicators:
MIME: text/plain
File info: Unicode text, UTF-16, little-endian text, with very long lines (8696), with CRLF line terminators
MD5:

1DDAB156B9FD709FF8FE61FFA2AFB789

SHA1:

F3626FDAB000C6C634569B95683FD8CF1B2934BB

SHA256:

290863999FD0713841DD7CE2BEC725CEE3F5A467A5DE00F819B2471867BFB105

SSDEEP:

1536:x0Y6Iij7lm5LxFAHUhpDqxVsOca0GrcFvQYfpy7zdz3G4GD4IuaIJ7fJpZycaCT2:x+KUzxJ3qNRYGr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 7020)
      • wscript.exe (PID: 3096)
      • wscript.exe (PID: 872)
      • cscript.exe (PID: 236)
      • wscript.exe (PID: 2096)
    • Creates a new folder (SCRIPT)

      • wscript.exe (PID: 7020)
      • wscript.exe (PID: 3096)
      • wscript.exe (PID: 872)
      • cscript.exe (PID: 236)
      • wscript.exe (PID: 2096)
    • Copies file to a new location (SCRIPT)

      • wscript.exe (PID: 7020)
      • wscript.exe (PID: 3096)
      • wscript.exe (PID: 872)
      • cscript.exe (PID: 236)
      • wscript.exe (PID: 2096)
  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • vlc.exe (PID: 4244)
    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 7020)
      • wscript.exe (PID: 3096)
      • wscript.exe (PID: 872)
      • cscript.exe (PID: 236)
      • wscript.exe (PID: 2096)
    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 7020)
      • wscript.exe (PID: 3096)
      • wscript.exe (PID: 872)
      • cscript.exe (PID: 236)
      • wscript.exe (PID: 2096)
    • Executes application which crashes

      • wscript.exe (PID: 7020)
      • wscript.exe (PID: 3096)
      • wscript.exe (PID: 872)
      • cscript.exe (PID: 236)
      • wscript.exe (PID: 2096)
    • The process creates files with name similar to system file names

      • WerFault.exe (PID: 1272)
      • WerFault.exe (PID: 4040)
      • WerFault.exe (PID: 5508)
      • WerFault.exe (PID: 2596)
      • WerFault.exe (PID: 6244)
    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 3096)
      • wscript.exe (PID: 872)
      • cscript.exe (PID: 236)
      • wscript.exe (PID: 2096)
      • wscript.exe (PID: 7020)
    • The process executes VB scripts

      • cmd.exe (PID: 5308)
  • INFO

    • Checks supported languages

      • vlc.exe (PID: 4244)
      • vlc.exe (PID: 2064)
    • Reads the computer name

      • vlc.exe (PID: 4244)
      • vlc.exe (PID: 2064)
    • The process uses Lua

      • vlc.exe (PID: 4244)
    • Manual execution by a user

      • mspaint.exe (PID: 5256)
      • vlc.exe (PID: 2064)
      • WINWORD.EXE (PID: 1324)
      • wscript.exe (PID: 7020)
      • wscript.exe (PID: 872)
      • cscript.exe (PID: 236)
      • cmd.exe (PID: 5308)
      • wscript.exe (PID: 3096)
    • Reads the software policy settings

      • slui.exe (PID: 1300)
      • slui.exe (PID: 6208)
    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 5136)
      • cscript.exe (PID: 236)
    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 4208)
    • Checks proxy server information

      • slui.exe (PID: 6208)
    • Creates files or folders in the user directory

      • WerFault.exe (PID: 1272)
      • WerFault.exe (PID: 4040)
      • WerFault.exe (PID: 5508)
      • WerFault.exe (PID: 2596)
      • WerFault.exe (PID: 6244)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.txt | Text - UTF-16 (LE) encoded (66.6)
.mp3 | MP3 audio (33.3)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
169
Monitored processes
24
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start vlc.exe no specs sppextcomobj.exe no specs slui.exe mspaint.exe no specs winword.exe ai.exe no specs vlc.exe no specs slui.exe rundll32.exe no specs Copy/Move/Rename/Delete/Link Object no specs openwith.exe no specs wscript.exe wscript.exe werfault.exe no specs wscript.exe werfault.exe no specs werfault.exe no specs cscript.exe conhost.exe no specs werfault.exe no specs cmd.exe no specs conhost.exe no specs wscript.exe werfault.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
236"C:\WINDOWS\System32\CScript.exe" "C:\~.tmp.vbs" C:\Windows\System32\cscript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
3221225477
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
744C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
872"C:\WINDOWS\System32\WScript.exe" "C:\~.tmp.vbs" C:\Windows\System32\wscript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
3221225477
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
900C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
1272C:\WINDOWS\system32\WerFault.exe -u -p 7020 -s 1040C:\Windows\System32\WerFault.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
1300"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1324"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Desktop\anycatalog.rtf" /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2064"C:\Program Files\VideoLAN\VLC\vlc.exe" C:\Program Files\VideoLAN\VLC\vlc.exeexplorer.exe
User:
admin
Company:
VideoLAN
Integrity Level:
MEDIUM
Description:
VLC media player
Exit code:
0
Version:
3.0.11
Modules
Images
c:\program files\videolan\vlc\vlc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\program files\videolan\vlc\libvlc.dll
2096"C:\WINDOWS\System32\WScript.exe" "C:\~.tmp.vbs" C:\Windows\System32\wscript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
3221225477
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2596C:\WINDOWS\system32\WerFault.exe -u -p 236 -s 1060C:\Windows\System32\WerFault.execscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
Total events
22 495
Read events
22 189
Write events
281
Delete events
25

Modification events

(PID) Process:(5256) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:WindowPlacement
Value:
2C00000000000000010000000000000000000000FFFFFFFFFFFFFFFF7F000000470000007F04000087020000
(PID) Process:(5256) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:ShowThumbnail
Value:
0
(PID) Process:(5256) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:BMPWidth
Value:
0
(PID) Process:(5256) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:BMPHeight
Value:
0
(PID) Process:(5256) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:ThumbXPos
Value:
0
(PID) Process:(5256) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:ThumbYPos
Value:
0
(PID) Process:(5256) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:ThumbWidth
Value:
0
(PID) Process:(5256) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:ThumbHeight
Value:
0
(PID) Process:(5256) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:UnitSetting
Value:
0
(PID) Process:(5256) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:ShowRulers
Value:
0
Executable files
10
Suspicious files
44
Text files
19
Unknown types
0

Dropped files

PID
Process
Filename
Type
4244vlc.exe
MD5:
SHA256:
1324WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bintext
MD5:CC90D669144261B198DEAD45AA266572
SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
1324WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:50BA5779BAF551FEF65FBE5CBE6DEB67
SHA256:4EDFDE6E6B1B5006F632052A8BFD15428E7F6F8EC908766B1709D3FBBAC70A4F
4244vlc.exeC:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.initext
MD5:C0E7F714F3BB6490047980D732B1AE0D
SHA256:07874D8A8DD4666E851996ABB73A23649A139F9280E921796D435D2FF85B1C8E
4244vlc.exeC:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.ini.locktext
MD5:4EEFF41140BE64C959944777B8EDE39C
SHA256:84ADF53D84D442C43AD387D7E67872825E0AEC5CECBFA0BFA98807174FB308AE
4244vlc.exeC:\Users\admin\AppData\Roaming\vlc\ml.xspfxml
MD5:781602441469750C3219C8C38B515ED4
SHA256:81970DBE581373D14FBD451AC4B3F96E5F69B79645F1EE1CA715CFF3AF0BF20D
4244vlc.exeC:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.ini.kB4244text
MD5:D94811EEE2A6753BED0E36DB5ECEA8D1
SHA256:0B67F201745A652794C739D79FC718BF8541BE453EA7E7F1FBBDD840C80BDACC
1324WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:26612F51B12207EAF4457BFAADE86A42
SHA256:438E9B672119F7C646B11B1011605E84116A398B14810EA8A08BC04394F22E4D
1324WINWORD.EXEC:\Users\admin\Desktop\~$ycatalog.rtfbinary
MD5:8441D002AF5F3B875467BBF0BE4C8EAD
SHA256:2A4CA3731D3F15DFEF93A1707C48D1CAC4A07D1451BDA342D25FBA79E50A94A5
1324WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Jsonbinary
MD5:CFD54484BBCCD842CE5113068C419A8A
SHA256:4FEE36BCBAB47965FD07134DE0BC666ECE4041CD1495D0107B468630BF6ED571
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
33
DNS requests
25
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
516
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1324
WINWORD.EXE
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
1324
WINWORD.EXE
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
516
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
516
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
516
SIHClient.exe
2.16.253.202:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
google.com
  • 216.58.206.78
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.160.130
  • 20.190.160.5
  • 20.190.160.128
  • 40.126.32.136
  • 20.190.160.67
  • 20.190.160.3
  • 40.126.32.72
  • 40.126.32.68
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 2.16.253.202
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
officeclient.microsoft.com
  • 52.109.28.46
whitelisted

Threats

No threats detected
No debug info