File name:

2df22c410a4517d699160ed70b9698f5ccd79b161a577b57a9c75ac651b2d91e.js

Full analysis: https://app.any.run/tasks/3d994f39-72b9-4372-b5ab-e43c531c2677
Verdict: Malicious activity
Threats:

UpCrypter is a sophisticated malware loader that functions as a delivery mechanism for remote access tools. Distributed through global phishing campaigns targeting Windows systems, this actively maintained tool serves as the central framework for deploying various RATs including PureHVNC, DCRat, and Babylon RAT, enabling attackers to establish persistent remote control over compromised systems.

Malware Trends Tracker     >>>
Analysis date: February 27, 2026, 07:17:15
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
upcrypter
susp-powershell
Indicators:
MIME: text/plain
File info: Unicode text, UTF-16, little-endian text, with very long lines (4316), with CRLF line terminators
MD5:

B1282A3ECA06117F28C1135969D5ADAE

SHA1:

AA5741EB90C04ED36888119D7F12B4705D8D9621

SHA256:

2DF22C410A4517D699160ED70B9698F5CCD79B161A577B57A9C75AC651B2D91E

SSDEEP:

384:EOoNQQ9dswoNQQ9dsvX9p3yAHXkXDXDXDXDXDXDXDXDXDXDXDXDXDXDXDXDXDXCr:ap3yAL7aYEdp4QzIwSM0C0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Bypass)

      • wscript.exe (PID: 412)
      • powershell.exe (PID: 7944)
      • powershell.exe (PID: 1044)
      • powershell.exe (PID: 7764)
      • cmd.exe (PID: 8344)
      • powershell.exe (PID: 5544)
      • powershell.exe (PID: 1584)
      • powershell.exe (PID: 5716)
      • powershell.exe (PID: 7164)
      • powershell.exe (PID: 6080)
      • powershell.exe (PID: 3508)

    • Copies file to a new location (SCRIPT)

      • wscript.exe (PID: 9092)

    • UPCRYPTER has been detected (SURICATA)

      • svchost.exe (PID: 2292)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 1044)

    • Starts CMD.EXE for self-deleting

      • powershell.exe (PID: 7764)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 7764)
      • powershell.exe (PID: 5544)
      • powershell.exe (PID: 1584)
      • powershell.exe (PID: 6080)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1584)

  • SUSPICIOUS

    • Сharacter substitution obfuscation via .replace()

      • powershell.exe (PID: 7944)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 412)
      • powershell.exe (PID: 7944)
      • powershell.exe (PID: 1044)
      • powershell.exe (PID: 7764)
      • cmd.exe (PID: 8344)
      • powershell.exe (PID: 5544)
      • powershell.exe (PID: 1584)
      • powershell.exe (PID: 5716)
      • powershell.exe (PID: 7164)
      • powershell.exe (PID: 6080)
      • powershell.exe (PID: 3508)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 412)
      • wscript.exe (PID: 9092)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7944)
      • powershell.exe (PID: 1044)
      • powershell.exe (PID: 7764)
      • powershell.exe (PID: 4064)
      • powershell.exe (PID: 664)
      • powershell.exe (PID: 5544)
      • powershell.exe (PID: 5716)
      • powershell.exe (PID: 1584)
      • powershell.exe (PID: 7164)
      • powershell.exe (PID: 6796)
      • powershell.exe (PID: 796)
      • powershell.exe (PID: 2912)
      • powershell.exe (PID: 7428)
      • powershell.exe (PID: 6080)
      • powershell.exe (PID: 2284)
      • powershell.exe (PID: 7932)
      • powershell.exe (PID: 1200)
      • powershell.exe (PID: 3508)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 9092)
      • wscript.exe (PID: 412)

    • The process executes JS scripts

      • wscript.exe (PID: 9092)
      • wscript.exe (PID: 412)

    • Likely accesses (executes) a file from the Public directory

      • wscript.exe (PID: 412)
      • powershell.exe (PID: 7944)
      • powershell.exe (PID: 1044)
      • powershell.exe (PID: 7764)
      • cmd.exe (PID: 7756)
      • cmd.exe (PID: 7448)
      • cmd.exe (PID: 1700)
      • cmd.exe (PID: 3508)
      • cmd.exe (PID: 8556)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 9092)
      • wscript.exe (PID: 412)

    • Probably obfuscated PowerShell command line is found

      • wscript.exe (PID: 412)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 7944)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 7944)
      • powershell.exe (PID: 1044)

    • Gets content of a file (POWERSHELL)

      • powershell.exe (PID: 7944)

    • Application launched itself

      • powershell.exe (PID: 7944)
      • powershell.exe (PID: 1044)
      • powershell.exe (PID: 7764)
      • wscript.exe (PID: 9092)
      • powershell.exe (PID: 5544)
      • powershell.exe (PID: 1584)
      • powershell.exe (PID: 5716)
      • powershell.exe (PID: 7164)
      • powershell.exe (PID: 6080)
      • powershell.exe (PID: 3508)

    • The process executes Powershell scripts

      • powershell.exe (PID: 1044)
      • powershell.exe (PID: 7764)
      • powershell.exe (PID: 4064)
      • powershell.exe (PID: 664)
      • powershell.exe (PID: 5544)
      • powershell.exe (PID: 5716)
      • powershell.exe (PID: 1584)
      • powershell.exe (PID: 7164)
      • powershell.exe (PID: 6796)
      • powershell.exe (PID: 2912)
      • powershell.exe (PID: 7428)
      • powershell.exe (PID: 796)
      • powershell.exe (PID: 2284)
      • powershell.exe (PID: 6080)
      • powershell.exe (PID: 3508)
      • powershell.exe (PID: 7932)
      • powershell.exe (PID: 1200)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 1044)

    • File deletion via cmd.exe

      • cmd.exe (PID: 7448)
      • cmd.exe (PID: 7756)
      • cmd.exe (PID: 3508)
      • cmd.exe (PID: 1700)
      • cmd.exe (PID: 8556)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 7764)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 7756)
      • cmd.exe (PID: 7448)
      • cmd.exe (PID: 1700)
      • cmd.exe (PID: 3508)

    • Runs WScript without displaying logo

      • wscript.exe (PID: 412)

    • Obfuscation pattern (POWERSHELL)

      • powershell.exe (PID: 7944)

  • INFO

    • Drops script file

      • wscript.exe (PID: 9092)
      • wscript.exe (PID: 412)
      • powershell.exe (PID: 7944)
      • powershell.exe (PID: 1044)
      • powershell.exe (PID: 7764)
      • cmd.exe (PID: 7756)
      • cmd.exe (PID: 1700)
      • cmd.exe (PID: 8556)
      • powershell.exe (PID: 664)
      • powershell.exe (PID: 5544)
      • powershell.exe (PID: 4064)
      • powershell.exe (PID: 1584)
      • powershell.exe (PID: 7164)
      • powershell.exe (PID: 5716)
      • powershell.exe (PID: 6796)
      • powershell.exe (PID: 7428)
      • powershell.exe (PID: 796)
      • powershell.exe (PID: 2912)
      • powershell.exe (PID: 6080)
      • powershell.exe (PID: 7932)
      • powershell.exe (PID: 3508)
      • powershell.exe (PID: 2284)
      • powershell.exe (PID: 1200)

    • Self-termination (SCRIPT)

      • wscript.exe (PID: 9092)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 7944)
      • powershell.exe (PID: 7764)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 1044)
      • powershell.exe (PID: 7764)

    • Disables trace logs

      • powershell.exe (PID: 1044)
      • powershell.exe (PID: 7764)

    • Checks proxy server information

      • powershell.exe (PID: 1044)
      • powershell.exe (PID: 7764)
      • slui.exe (PID: 7832)

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • powershell.exe (PID: 7944)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 1044)

    • Found Base64 encoded network access via PowerShell (YARA)

      • powershell.exe (PID: 7944)

    • Manual execution by a user

      • cmd.exe (PID: 8344)

    • Checks supported languages

      • InstallUtil.exe (PID: 7340)
      • InstallUtil.exe (PID: 7348)
      • InstallUtil.exe (PID: 8292)

    • Reads the computer name

      • InstallUtil.exe (PID: 7340)
      • InstallUtil.exe (PID: 7348)
      • InstallUtil.exe (PID: 8292)

    • Reads the machine GUID from the registry

      • InstallUtil.exe (PID: 7340)
      • InstallUtil.exe (PID: 7348)
      • InstallUtil.exe (PID: 8292)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.txt | Text - UTF-16 (LE) encoded (49.9)
.bas | Nevada BASIC tokenized source (25)
.mp3 | MP3 audio (24.9)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
185
Monitored processes
39
Malicious processes
12
Suspicious processes
2

Behavior graph

Click at the process to see the details
start wscript.exe no specs wscript.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe #UPCRYPTER svchost.exe powershell.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs ping.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs installutil.exe powershell.exe no specs installutil.exe no specs slui.exe powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs installutil.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
412"C:\Windows\System32\wscript.exe" //nologo "C:\Users\Public\fhrcs.js"C:\Windows\System32\wscript.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
664C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\LocalLow\Windows Sytem (x86)\Program Rules\Program Rules NVIDEO\Program Rules\Program Rules NVIDEO\qcnlg.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
796"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\admin\AppData\LocalLow\Windows Sytem (x86)\Program Rules\Program Rules NVIDEO\Program Rules\Program Rules NVIDEO\qcnlg.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
1044"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file C:\Users\Public\zstzk.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1200"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\admin\AppData\LocalLow\Windows Sytem (x86)\Program Rules\Program Rules NVIDEO\Program Rules\Program Rules NVIDEO\qcnlg.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1212\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1524ping 127.0.0.1 -n 1 C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nsi.dll
1584powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\admin\AppData\LocalLow\Windows Sytem (x86)\Program Rules\Program Rules NVIDEO\Program Rules\Program Rules NVIDEO\znocd.ps1' ";exitC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1700cmd.exe /c ping 127.0.0.1 -n 1 & del "c:\users\public\zstzk.ps1"C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
2284"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\admin\AppData\LocalLow\Windows Sytem (x86)\Program Rules\Program Rules NVIDEO\Program Rules\Program Rules NVIDEO\qcnlg.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
Total events
83 774
Read events
83 764
Write events
10
Delete events
0

Modification events

(PID) Process:(9092) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
06521E0000000000
(PID) Process:(4064) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Update Drivers NVIDEO_kde
Value:
cmd.exe /c start /min "" powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\admin\AppData\LocalLow\Windows Sytem (x86)\Program Rules\Program Rules NVIDEO\Program Rules\Program Rules NVIDEO\znocd.ps1' ";exit
(PID) Process:(664) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Update Drivers NVIDEO_sce
Value:
cmd.exe /c start /min "" powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\admin\AppData\LocalLow\Windows Sytem (x86)\Program Rules\Program Rules NVIDEO\Program Rules\Program Rules NVIDEO\znocd.ps1' ";exit
(PID) Process:(6796) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Update Drivers NVIDEO_sce
Value:
cmd.exe /c start /min "" powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\admin\AppData\LocalLow\Windows Sytem (x86)\Program Rules\Program Rules NVIDEO\Program Rules\Program Rules NVIDEO\znocd.ps1' ";exit
(PID) Process:(796) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Update Drivers NVIDEO_sce
Value:
cmd.exe /c start /min "" powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\admin\AppData\LocalLow\Windows Sytem (x86)\Program Rules\Program Rules NVIDEO\Program Rules\Program Rules NVIDEO\znocd.ps1' ";exit
(PID) Process:(7428) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Update Drivers NVIDEO_sce
Value:
cmd.exe /c start /min "" powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\admin\AppData\LocalLow\Windows Sytem (x86)\Program Rules\Program Rules NVIDEO\Program Rules\Program Rules NVIDEO\znocd.ps1' ";exit
(PID) Process:(2912) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Update Drivers NVIDEO_sce
Value:
cmd.exe /c start /min "" powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\admin\AppData\LocalLow\Windows Sytem (x86)\Program Rules\Program Rules NVIDEO\Program Rules\Program Rules NVIDEO\znocd.ps1' ";exit
(PID) Process:(2284) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Update Drivers NVIDEO_sce
Value:
cmd.exe /c start /min "" powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\admin\AppData\LocalLow\Windows Sytem (x86)\Program Rules\Program Rules NVIDEO\Program Rules\Program Rules NVIDEO\znocd.ps1' ";exit
(PID) Process:(7932) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Update Drivers NVIDEO_sce
Value:
cmd.exe /c start /min "" powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\admin\AppData\LocalLow\Windows Sytem (x86)\Program Rules\Program Rules NVIDEO\Program Rules\Program Rules NVIDEO\znocd.ps1' ";exit
(PID) Process:(1200) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Update Drivers NVIDEO_sce
Value:
cmd.exe /c start /min "" powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ". 'C:\Users\admin\AppData\LocalLow\Windows Sytem (x86)\Program Rules\Program Rules NVIDEO\Program Rules\Program Rules NVIDEO\znocd.ps1' ";exit
Executable files
0
Suspicious files
0
Text files
3
Unknown types
48

Dropped files

PID
Process
Filename
Type
7764powershell.exeC:\Users\admin\AppData\LocalLow\Windows Sytem (x86)\Program Rules\Program Rules NVIDEO\Program Rules\Program Rules NVIDEO\znocd.ps1
MD5:
SHA256:
7944powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rbijpemb.lgz.ps1binary
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
9092wscript.exeC:\Users\Public\fhrcs.jstext
MD5:B1282A3ECA06117F28C1135969D5ADAE
SHA256:2DF22C410A4517D699160ED70B9698F5CCD79B161A577B57A9C75AC651B2D91E
1044powershell.exeC:\Users\Public\flkxm.txttext
MD5:BE3F3DFC21B840B2C69252BD80790B16
SHA256:AC792909BBF342BD3B387EDF286227F4C4D9CF9F75A7D96F990F9BD3E4A66719
4064powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_z5wgzsal.2mh.psm1binary
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1044powershell.exeC:\Users\Public\lrpqm_01.ps1binary
MD5:774A6C0AD69BDF3C1C6A6A7362D56E5E
SHA256:59538C55CE904F26E78703704CA54EF3B452CE61A30A7F6B124234F362D04EF8
1044powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ormm4lel.p3b.psm1binary
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7944powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:E20F552E27DF7C7A886953AF98C52BD4
SHA256:4EC474416A0BD4E8634EC192C00591913905D70F1E569E2F975A617FCD0FFDB5
664powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ci3vn0ej.xkk.psm1binary
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
664powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_daocxdt4.ijl.ps1binary
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
44
DNS requests
28
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6768
MoUsoCoreWorker.exe
GET
304
51.124.78.146:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
unknown
whitelisted
5408
svchost.exe
GET
304
51.124.78.146:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
unknown
whitelisted
8260
SIHClient.exe
GET
304
20.165.94.63:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
whitelisted
8260
SIHClient.exe
GET
200
20.165.94.54:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
whitelisted
8260
SIHClient.exe
GET
200
20.165.94.63:443
https://slscr.update.microsoft.com/sls/ping
unknown
whitelisted
8260
SIHClient.exe
GET
304
20.165.94.63:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
whitelisted
GET
200
162.159.142.9:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D
unknown
whitelisted
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D
unknown
whitelisted
356
svchost.exe
POST
200
20.190.160.64:443
https://login.live.com/RST2.srf
unknown
binary
11.1 Kb
whitelisted
356
svchost.exe
GET
200
162.159.142.9:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5408
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
9088
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2.16.241.197:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
5568
SearchApp.exe
2.16.241.219:443
th.bing.com
AKAMAI-ASN1
NL
whitelisted
5568
SearchApp.exe
2.16.241.197:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
162.159.142.9:80
ocsp.digicert.com
CLOUDFLARENET
US
whitelisted
204.79.197.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3412
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
self.events.data.microsoft.com
  • 20.189.173.17
whitelisted
www.bing.com
  • 2.16.241.197
  • 2.16.241.204
  • 2.16.241.196
  • 2.16.241.223
  • 2.16.241.205
  • 2.16.241.222
  • 2.16.241.224
  • 2.16.241.203
  • 2.16.241.200
whitelisted
th.bing.com
  • 2.16.241.219
  • 2.16.241.223
  • 2.16.241.224
  • 2.16.241.200
  • 2.16.241.221
  • 2.16.241.222
  • 2.16.241.218
  • 2.16.241.197
  • 2.16.241.196
whitelisted
google.com
  • 142.250.201.174
whitelisted
ocsp.digicert.com
  • 162.159.142.9
  • 172.66.2.5
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.160.64
  • 40.126.32.140
  • 20.190.160.2
  • 40.126.32.72
  • 20.190.160.128
  • 40.126.32.134
  • 40.126.32.133
  • 20.190.160.22
whitelisted
www.google.com
  • 142.251.208.4
whitelisted

Threats

PID
Process
Class
Message
5408
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2292
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/UpCrypter related domain (meusitehostgator .com .br)
2292
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2df22c410a4517d699160ed70b9698f5ccd79b161a577b57a9c75ac651b2d91e.js