File name:

test99

Full analysis: https://app.any.run/tasks/173886ce-3bcd-488c-8bc0-6570bfef9b68
Verdict: Malicious activity
Analysis date: July 18, 2024, 00:37:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
mimikatz
tools
Indicators:
MIME: application/octet-stream
File info: data
MD5:

2513EB59C3DB32A2D5EFBEDE6136A75D

SHA1:

1D8DBFC96C391091BE3CABCB7F437DAF069AD943

SHA256:

50D1B32CF53FE1B0822D2606AA397743D6069785BA0B03A3CAD52E63F84C90A8

SSDEEP:

192:1D3nTjp5JdQUP5YttDOtMXmgntgO8ljTcQ4en:1DXPpvxYyC/nmnjOen

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Accesses user account's information(Win32_UserAccount) via WMI (SCRIPT)

      • scrcons.exe (PID: 3408)
      • cscript.exe (PID: 2888)

    • Deletes a file (SCRIPT)

      • scrcons.exe (PID: 3408)

    • Creates internet connection object (SCRIPT)

      • scrcons.exe (PID: 3408)
      • cscript.exe (PID: 2888)

    • Sends HTTP request (SCRIPT)

      • scrcons.exe (PID: 3408)
      • cscript.exe (PID: 2888)

    • Accesses Processor(Win32_Processor, may evade sandboxes) via WMI (SCRIPT)

      • scrcons.exe (PID: 3408)
      • cscript.exe (PID: 2888)

    • Opens an HTTP connection (SCRIPT)

      • scrcons.exe (PID: 3408)
      • cscript.exe (PID: 2888)

    • Gets path to any of the special folders (SCRIPT)

      • scrcons.exe (PID: 3408)
      • cscript.exe (PID: 2888)

    • Opens a text file (SCRIPT)

      • scrcons.exe (PID: 3408)

    • Gets a file object corresponding to the file in a specified path (SCRIPT)

      • cscript.exe (PID: 2888)

    • Uses base64 encoding (SCRIPT)

      • cscript.exe (PID: 2888)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 3516)

    • Creates a writable file in the system directory

      • powershell.exe (PID: 3516)

    • Accesses to a group account data(Win32_Group) via WMI (SCRIPT)

      • cscript.exe (PID: 2888)

    • Accesses the network adapter (Win32_NetworkAdapter) via WMI (SCRIPT)

      • cscript.exe (PID: 2888)

    • Accesses system services(Win32_Service) via WMI (SCRIPT)

      • cscript.exe (PID: 2888)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • cscript.exe (PID: 2888)

    • May hide the program window using WMI (SCRIPT)

      • cscript.exe (PID: 2888)

  • SUSPICIOUS

    • Executes WMI query (SCRIPT)

      • scrcons.exe (PID: 3408)
      • cscript.exe (PID: 2888)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • scrcons.exe (PID: 3408)
      • cscript.exe (PID: 2888)

    • Accesses current user name via WMI (SCRIPT)

      • scrcons.exe (PID: 3408)
      • cscript.exe (PID: 2888)

    • Checks whether a specific file exists (SCRIPT)

      • scrcons.exe (PID: 3408)
      • cscript.exe (PID: 2888)

    • Adds/modifies Windows certificates

      • scrcons.exe (PID: 3408)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • scrcons.exe (PID: 3408)
      • cscript.exe (PID: 2888)

    • Checks for external IP

      • scrcons.exe (PID: 3408)

    • Checks Windows Trust Settings

      • drvinst.exe (PID: 1168)

    • Writes binary data to a Stream object (SCRIPT)

      • scrcons.exe (PID: 3408)
      • cscript.exe (PID: 2888)

    • Possibly malicious use of IEX has been detected

      • scrcons.exe (PID: 3408)

    • Starts POWERSHELL.EXE for commands execution

      • scrcons.exe (PID: 3408)

    • Runs shell command (SCRIPT)

      • scrcons.exe (PID: 3408)

    • Starts CMD.EXE for commands execution

      • scrcons.exe (PID: 3408)

    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • scrcons.exe (PID: 3408)
      • cscript.exe (PID: 2888)

    • Reads data from a binary Stream object (SCRIPT)

      • cscript.exe (PID: 2888)

    • Saves data to a binary file (SCRIPT)

      • scrcons.exe (PID: 3408)
      • cscript.exe (PID: 2888)

    • Creates XML DOM element (SCRIPT)

      • cscript.exe (PID: 2888)

    • Sets XML DOM element text (SCRIPT)

      • cscript.exe (PID: 2888)

    • Changes charset (SCRIPT)

      • cscript.exe (PID: 2888)

    • Gets information about processes (POWERSHELL)

      • powershell.exe (PID: 3516)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 3516)

    • Starts a new process with hidden mode (POWERSHELL)

      • powershell.exe (PID: 3516)

    • Accesses computer name via WMI (SCRIPT)

      • cscript.exe (PID: 2888)

    • Accesses OperatingSystem(Win32_OperatingSystem) via WMI (SCRIPT)

      • cscript.exe (PID: 2888)

    • Executed via WMI

      • mofcomp.exe (PID: 2772)

    • Accesses ComputerSystem(Win32_ComputerSystem) via WMI (SCRIPT)

      • cscript.exe (PID: 2888)

    • Adds, changes, or deletes HTTP request header (SCRIPT)

      • cscript.exe (PID: 2888)

    • Gets full path of the running script (SCRIPT)

      • cscript.exe (PID: 2888)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 2092)
      • explorer.exe (PID: 1980)

    • Reads the software policy settings

      • scrcons.exe (PID: 3408)
      • drvinst.exe (PID: 1168)

    • Checks supported languages

      • drvinst.exe (PID: 1168)

    • Reads the computer name

      • drvinst.exe (PID: 1168)

    • Reads the machine GUID from the registry

      • drvinst.exe (PID: 1168)

    • Reads security settings of Internet Explorer

      • scrcons.exe (PID: 3408)

    • Disables trace logs

      • powershell.exe (PID: 3516)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 3516)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
58
Monitored processes
11
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start rundll32.exe no specs cmd.exe explorer.exe no specs mofcomp.exe no specs scrcons.exe drvinst.exe no specs powershell.exe cmd.exe no specs cscript.exe mofcomp.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1168DrvInst.exe "1" "200" "UMB\UMB\1&841921d&0&TERMINPUT_BUS" "" "" "6e3bed883" "00000000" "0000030C" "00000060"C:\Windows\System32\drvinst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1980"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2092"C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2724mofcomp.exe C:\Users\admin\AppData\Local\Temp\test99C:\Windows\System32\wbem\mofcomp.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
The Managed Object Format (MOF) Compiler
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\wbem\mofcomp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
2772mofcomp C:\Windows\TEMP\mfC:\Windows\System32\wbem\mofcomp.exeWmiPrvSE.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
The Managed Object Format (MOF) Compiler
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\wbem\mofcomp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
2868"C:\Windows\System32\cmd.exe" /c cscript.exe /b /e:VBScript.Encode C:\Windows\TEMP\xw2.tmp 579562847 & del /f/q C:\Windows\TEMP\xw2.tmpC:\Windows\System32\cmd.exescrcons.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2888cscript.exe /b /e:VBScript.Encode C:\Windows\TEMP\xw2.tmp 579562847 C:\Windows\System32\cscript.exe
cmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3380"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3408C:\Windows\system32\wbem\scrcons.exe -EmbeddingC:\Windows\System32\wbem\scrcons.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Standard Event Consumer - scripting
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\wbem\scrcons.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
3516"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex $env:EXVARC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
scrcons.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
Total events
11 669
Read events
11 598
Write events
56
Delete events
15

Modification events

(PID) Process:(3700) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\Windows\eHome\ehshell.exe
Value:
Windows Media Center
(PID) Process:(3700) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
Firefox
(PID) Process:(3700) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\Program Files\Internet Explorer\iexplore.exe
Value:
Internet Explorer
(PID) Process:(3700) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\Windows\system32\mspaint.exe
Value:
Paint
(PID) Process:(3700) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\Windows\system32\NOTEPAD.EXE
Value:
Notepad
(PID) Process:(3700) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\PROGRA~1\MICROS~1\Office14\OIS.EXE
Value:
Microsoft Office 2010
(PID) Process:(3700) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\Program Files\Windows Photo Viewer\PhotoViewer.dll
Value:
Windows Photo Viewer
(PID) Process:(3700) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\Program Files\VideoLAN\VLC\vlc.exe
Value:
VLC media player
(PID) Process:(3700) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Value:
Microsoft Word
(PID) Process:(3700) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
0
Suspicious files
8
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
1168drvinst.exeC:\Windows\INF\setupapi.ev1binary
MD5:60132FBCD9D75F3D5B5BE24655EF6561
SHA256:83945B0EB90B2E7D6053429476130725EC3E4738DBC8F8452EBAEDEC7A34655A
2888cscript.exeC:\Windows\TEMP\onlyonce240503.txttext
MD5:6F8DB599DE986FAB7A21625B7916589C
SHA256:D5579C46DFCC7F18207013E65B44E4CB4E2C2298F4AC457BA8F82743F31E930B
1168drvinst.exeC:\Windows\INF\setupapi.ev2binary
MD5:2FE52592F516CEC700CDA4E84FC29CAA
SHA256:3B345047D3FDAF504E9AB049DC67240910B4BBA5087DE72992CFFE0244185B0F
3408scrcons.exeC:\Windows\TEMP\xw2.tmpvbe
MD5:A1BFE3D65C10A7C736DE9CFB09490077
SHA256:85B9FD2750571831FD1DCD22B11DA9C935F03DF98B9B854A91C3541D7EAE104A
3516powershell.exeC:\Windows\TEMP\nvwysuvu.a5h.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3516powershell.exeC:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
3408scrcons.exeC:\Windows\temp\dfvt.logtext
MD5:1B6666BAA37AAE6ACA0AA1F481F3F2DB
SHA256:4CED55FC0F30E15033A9D620E9F9071A1448FF34792CE5ADBCD38A4BC53DA1B1
1168drvinst.exeC:\Windows\INF\setupapi.ev3binary
MD5:9EBC654990CE1A767CA8B0FEC40AA488
SHA256:9238AE2D3B756EB9BA37056F7F2869B460C7EA3AEAB6FE5831D2E00A51FBBC4F
2888cscript.exeC:\Windows\TEMP\onlyonceaddu240427.txttext
MD5:6F8DB599DE986FAB7A21625B7916589C
SHA256:D5579C46DFCC7F18207013E65B44E4CB4E2C2298F4AC457BA8F82743F31E930B
3516powershell.exeC:\Windows\TEMP\utxa1hhp.vbl.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
17
DNS requests
10
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
whitelisted
1372
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1060
svchost.exe
GET
304
2.19.126.137:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a9f83325acc8ca75
unknown
whitelisted
3516
powershell.exe
GET
200
172.67.178.106:80
http://d.mymst007.info/s/ps/istH64
unknown
unknown
3408
scrcons.exe
GET
200
172.67.178.106:80
http://d.mymst007.info/s/h64endl2?e=1
unknown
unknown
2888
cscript.exe
GET
200
172.67.178.106:80
http://d.mymst007.info/pc?info=3389---4---0409---Guest
unknown
unknown
2888
cscript.exe
GET
200
172.67.178.106:80
http://d.mymst007.info/f/w/mf
unknown
unknown
1372
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3408
scrcons.exe
GET
200
188.114.97.3:80
http://d.mymst.top/ex?e=1
unknown
whitelisted
3408
scrcons.exe
GET
200
188.114.97.3:80
http://d.mymst.top/ver
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
1372
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
1372
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1372
svchost.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
1372
svchost.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
1372
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown
1060
svchost.exe
2.19.126.137:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.110
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
  • 2.19.126.137
  • 2.19.126.163
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.72
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
d.mymst.top
  • 188.114.97.3
  • 188.114.96.3
malicious
ifconfig.me
  • 34.160.111.145
shared
m.mymst.top
  • 188.114.96.3
  • 188.114.97.3
malicious
d.mymst007.info
  • 172.67.178.106
  • 104.21.75.152
unknown

Threats

PID
Process
Class
Message
1060
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
1060
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Lookup Domain (ifconfig .me)
3408
scrcons.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
3408
scrcons.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup SSL/TLS Certificate (ifconfig .me)
3516
powershell.exe
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] Get-CimInstance Cmdlet has been detected
3516
powershell.exe
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] Get-WmiObject Cmdlet has been detected
3408
scrcons.exe
Misc activity
ET INFO Microsoft Script Encoder Encoded File
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
test99