File name:

efa3abe8_.bat

Full analysis: https://app.any.run/tasks/a9ff944e-ed33-49b2-ac32-a604dbd349f0
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: October 25, 2025, 08:21:08
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
upx
valleyrat
winos
rat
silverfox
nspack
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

EB8480961557D44BD4ED590EA796B795

SHA1:

8C7827AEEBB67172769C49F7F7B885E2572019D2

SHA256:

54EE598D4B602A95270889C97505D2FE4E1092D718733C01DF53F99DFA5096F9

SSDEEP:

98304:o3WT/68nJTAba4ynTVLUH8P2duB+lc9xghh4RcPNnAshmbsMFr3EGPGrmSWbzTOh:4I+nLbvd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • efa3abe8_.bat.exe (PID: 7816)
      • funzip.exe (PID: 7416)
      • efa3abe8_.bat.exe (PID: 8124)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 4316)
      • powershell.exe (PID: 7336)
      • powershell.exe (PID: 7344)
      • powershell.exe (PID: 8124)
      • powershell.exe (PID: 8052)
      • powershell.exe (PID: 644)
      • powershell.exe (PID: 6364)
      • powershell.exe (PID: 480)
      • powershell.exe (PID: 5936)
      • powershell.exe (PID: 4316)
      • powershell.exe (PID: 7372)
      • powershell.exe (PID: 7572)
      • powershell.exe (PID: 1952)
      • powershell.exe (PID: 1236)
      • powershell.exe (PID: 8036)
      • powershell.exe (PID: 1792)
      • powershell.exe (PID: 8128)
      • powershell.exe (PID: 7300)
      • powershell.exe (PID: 7656)
      • powershell.exe (PID: 4528)
      • powershell.exe (PID: 2552)
      • powershell.exe (PID: 144)
      • powershell.exe (PID: 6776)
      • powershell.exe (PID: 7564)
      • powershell.exe (PID: 864)
      • powershell.exe (PID: 1676)
      • powershell.exe (PID: 5884)
      • powershell.exe (PID: 1844)
      • powershell.exe (PID: 8164)
      • powershell.exe (PID: 2024)
      • powershell.exe (PID: 2320)
      • powershell.exe (PID: 7176)
      • powershell.exe (PID: 7676)
      • powershell.exe (PID: 3392)
      • powershell.exe (PID: 7320)
      • powershell.exe (PID: 4080)
      • powershell.exe (PID: 5520)
      • powershell.exe (PID: 5504)
      • powershell.exe (PID: 3100)
      • powershell.exe (PID: 7372)
      • powershell.exe (PID: 4220)
      • powershell.exe (PID: 1416)
      • powershell.exe (PID: 7732)
      • powershell.exe (PID: 6224)
      • powershell.exe (PID: 7264)
      • powershell.exe (PID: 7316)
      • powershell.exe (PID: 3272)
      • powershell.exe (PID: 7328)
      • powershell.exe (PID: 3144)
      • powershell.exe (PID: 5320)

    • Changes Windows Defender settings

      • NtHandleCallback.exe (PID: 5240)

    • Adds path to the Windows Defender exclusion list

      • NtHandleCallback.exe (PID: 5240)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 8052)
      • powershell.exe (PID: 7336)
      • powershell.exe (PID: 6364)
      • powershell.exe (PID: 7372)
      • powershell.exe (PID: 1236)
      • powershell.exe (PID: 8128)
      • powershell.exe (PID: 5884)
      • powershell.exe (PID: 2552)
      • powershell.exe (PID: 7564)
      • powershell.exe (PID: 2024)
      • powershell.exe (PID: 7176)
      • powershell.exe (PID: 3392)
      • powershell.exe (PID: 4220)
      • powershell.exe (PID: 5504)
      • powershell.exe (PID: 7732)
      • powershell.exe (PID: 7316)
      • powershell.exe (PID: 7328)

    • Changes powershell execution policy (Bypass)

      • NtHandleCallback.exe (PID: 5240)

    • VALLEYRAT has been detected (YARA)

      • NtHandleCallback.exe (PID: 5240)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • efa3abe8_.bat.exe (PID: 8124)
      • efa3abe8_.bat.tmp (PID: 8164)
      • efa3abe8_.bat.exe (PID: 7816)
      • men.exe (PID: 2320)
      • funzip.exe (PID: 7416)
      • NVIDIA.exe (PID: 8028)
      • NtHandleCallback.exe (PID: 5240)

    • Reads the Windows owner or organization settings

      • efa3abe8_.bat.tmp (PID: 8164)

    • Process drops legitimate windows executable

      • efa3abe8_.bat.tmp (PID: 8164)

    • Reads security settings of Internet Explorer

      • efa3abe8_.bat.tmp (PID: 7836)
      • men.exe (PID: 2320)

    • Drops 7-zip archiver for unpacking

      • efa3abe8_.bat.tmp (PID: 8164)
      • men.exe (PID: 2320)

    • Drops a system driver (possible attempt to evade defenses)

      • men.exe (PID: 2320)
      • NtHandleCallback.exe (PID: 5240)

    • Starts CMD.EXE for commands execution

      • men.exe (PID: 2320)

    • Likely accesses (executes) a file from the Public directory

      • NVIDIA.exe (PID: 8028)
      • NtHandleCallback.exe (PID: 5240)
      • powershell.exe (PID: 7336)
      • powershell.exe (PID: 8052)
      • powershell.exe (PID: 6364)
      • powershell.exe (PID: 7372)
      • main.exe (PID: 1076)
      • main.exe (PID: 6452)
      • sc.exe (PID: 3984)
      • cmd.exe (PID: 2816)
      • powershell.exe (PID: 1236)
      • powershell.exe (PID: 8128)
      • powershell.exe (PID: 5884)
      • powershell.exe (PID: 2552)
      • powershell.exe (PID: 7564)
      • powershell.exe (PID: 2024)
      • powershell.exe (PID: 7176)
      • powershell.exe (PID: 3392)
      • powershell.exe (PID: 5504)
      • powershell.exe (PID: 4220)
      • powershell.exe (PID: 7732)
      • powershell.exe (PID: 7316)
      • powershell.exe (PID: 7328)

    • Creates or modifies Windows services

      • NVIDIA.exe (PID: 8028)

    • Uses WMIC.EXE to obtain network information

      • cmd.exe (PID: 7876)

    • There is functionality for taking screenshot (YARA)

      • men.exe (PID: 2320)

    • Reads the date of Windows installation

      • men.exe (PID: 2320)

    • Starts POWERSHELL.EXE for commands execution

      • NtHandleCallback.exe (PID: 5240)
      • cmd.exe (PID: 272)

    • The process bypasses the loading of PowerShell profile settings

      • NtHandleCallback.exe (PID: 5240)

    • Query Microsoft Defender preferences

      • NtHandleCallback.exe (PID: 5240)

    • Creates file in the systems drive root

      • NtHandleCallback.exe (PID: 5240)

    • Connects to unusual port

      • NtHandleCallback.exe (PID: 5240)

    • Script adds exclusion path to Windows Defender

      • NtHandleCallback.exe (PID: 5240)

    • Starts SC.EXE for service management

      • men.exe (PID: 2320)

    • Stops a currently running service

      • sc.exe (PID: 5232)

    • Hides command output

      • cmd.exe (PID: 272)

    • Creates a new Windows service

      • sc.exe (PID: 3984)

    • Windows service management via SC.EXE

      • sc.exe (PID: 2336)

    • The process deletes folder without confirmation

      • men.exe (PID: 2320)

    • Executing commands from a ".bat" file

      • men.exe (PID: 2320)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 4312)

    • Takes ownership (TAKEOWN.EXE)

      • cmd.exe (PID: 272)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 272)

  • INFO

    • Checks supported languages

      • efa3abe8_.bat.exe (PID: 7816)
      • efa3abe8_.bat.tmp (PID: 7836)
      • efa3abe8_.bat.tmp (PID: 8164)
      • funzip.exe (PID: 7416)
      • men.exe (PID: 2320)
      • NVIDIA.exe (PID: 8028)
      • NtHandleCallback.exe (PID: 5240)
      • efa3abe8_.bat.exe (PID: 8124)
      • main.exe (PID: 6452)
      • main.exe (PID: 1076)

    • The sample compiled with english language support

      • efa3abe8_.bat.tmp (PID: 8164)
      • men.exe (PID: 2320)

    • Create files in a temporary directory

      • efa3abe8_.bat.tmp (PID: 8164)
      • efa3abe8_.bat.exe (PID: 7816)
      • NVIDIA.exe (PID: 8028)
      • efa3abe8_.bat.exe (PID: 8124)

    • Creates files in the program directory

      • efa3abe8_.bat.tmp (PID: 8164)
      • funzip.exe (PID: 7416)
      • men.exe (PID: 2320)
      • main.exe (PID: 1076)

    • Reads the computer name

      • efa3abe8_.bat.tmp (PID: 7836)
      • men.exe (PID: 2320)
      • funzip.exe (PID: 7416)
      • NtHandleCallback.exe (PID: 5240)
      • efa3abe8_.bat.tmp (PID: 8164)

    • Process checks computer location settings

      • efa3abe8_.bat.tmp (PID: 7836)
      • men.exe (PID: 2320)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • men.exe (PID: 2320)

    • The sample compiled with chinese language support

      • NVIDIA.exe (PID: 8028)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 5328)

    • UPX packer has been detected

      • men.exe (PID: 2320)
      • NVIDIA.exe (PID: 8028)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4316)
      • powershell.exe (PID: 7336)
      • powershell.exe (PID: 8124)
      • powershell.exe (PID: 7344)
      • powershell.exe (PID: 5936)
      • powershell.exe (PID: 8052)
      • powershell.exe (PID: 644)
      • powershell.exe (PID: 6364)
      • powershell.exe (PID: 4316)
      • powershell.exe (PID: 480)
      • powershell.exe (PID: 7372)
      • powershell.exe (PID: 7572)
      • powershell.exe (PID: 1952)
      • powershell.exe (PID: 1236)
      • powershell.exe (PID: 8036)
      • powershell.exe (PID: 8128)
      • powershell.exe (PID: 7300)
      • powershell.exe (PID: 1792)
      • powershell.exe (PID: 144)
      • powershell.exe (PID: 7656)
      • powershell.exe (PID: 4528)
      • powershell.exe (PID: 2552)
      • powershell.exe (PID: 1844)
      • powershell.exe (PID: 6776)
      • powershell.exe (PID: 7564)
      • powershell.exe (PID: 864)
      • powershell.exe (PID: 1676)
      • powershell.exe (PID: 5884)
      • powershell.exe (PID: 2024)
      • powershell.exe (PID: 8164)
      • powershell.exe (PID: 2320)
      • powershell.exe (PID: 7676)
      • powershell.exe (PID: 3392)
      • powershell.exe (PID: 4080)
      • powershell.exe (PID: 7320)
      • powershell.exe (PID: 7176)
      • powershell.exe (PID: 5520)
      • powershell.exe (PID: 5504)
      • powershell.exe (PID: 3100)
      • powershell.exe (PID: 7372)
      • powershell.exe (PID: 4220)
      • powershell.exe (PID: 1416)
      • powershell.exe (PID: 3272)
      • powershell.exe (PID: 6224)
      • powershell.exe (PID: 7732)
      • powershell.exe (PID: 7264)
      • powershell.exe (PID: 5320)
      • powershell.exe (PID: 3144)
      • powershell.exe (PID: 7316)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4316)
      • powershell.exe (PID: 7336)
      • powershell.exe (PID: 7344)
      • powershell.exe (PID: 8124)
      • powershell.exe (PID: 8052)
      • powershell.exe (PID: 5936)
      • powershell.exe (PID: 6364)
      • powershell.exe (PID: 480)
      • powershell.exe (PID: 4316)
      • powershell.exe (PID: 7372)
      • powershell.exe (PID: 7572)
      • powershell.exe (PID: 1952)
      • powershell.exe (PID: 1236)
      • powershell.exe (PID: 1792)
      • powershell.exe (PID: 8128)
      • powershell.exe (PID: 8036)
      • powershell.exe (PID: 7300)
      • powershell.exe (PID: 2552)
      • powershell.exe (PID: 144)
      • powershell.exe (PID: 7656)
      • powershell.exe (PID: 4528)
      • powershell.exe (PID: 1844)
      • powershell.exe (PID: 7564)
      • powershell.exe (PID: 6776)
      • powershell.exe (PID: 864)
      • powershell.exe (PID: 5884)
      • powershell.exe (PID: 1676)
      • powershell.exe (PID: 2024)
      • powershell.exe (PID: 8164)
      • powershell.exe (PID: 2320)
      • powershell.exe (PID: 5520)
      • powershell.exe (PID: 7676)
      • powershell.exe (PID: 3392)
      • powershell.exe (PID: 4080)
      • powershell.exe (PID: 7320)
      • powershell.exe (PID: 7176)
      • powershell.exe (PID: 5504)
      • powershell.exe (PID: 3100)
      • powershell.exe (PID: 7372)
      • powershell.exe (PID: 4220)
      • powershell.exe (PID: 3272)
      • powershell.exe (PID: 6224)
      • powershell.exe (PID: 7732)
      • powershell.exe (PID: 7264)
      • powershell.exe (PID: 1416)
      • powershell.exe (PID: 7316)
      • powershell.exe (PID: 5320)
      • powershell.exe (PID: 3144)
      • powershell.exe (PID: 644)

    • NsPack has been detected

      • NtHandleCallback.exe (PID: 5240)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (77.7)
.exe | Win32 Executable Delphi generic (10)
.dll | Win32 Dynamic Link Library (generic) (4.6)
.exe | Win32 Executable (generic) (3.1)
.exe | Win16/32 Executable Delphi generic (1.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:17 10:22:54+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 86016
InitializedDataSize: 69120
UninitializedDataSize: -
EntryPoint: 0x16478
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 3.30.5.0
ProductVersionNumber: 3.30.5.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: X Setup
FileVersion: 3.30.5.0
LegalCopyright:
ProductName: X
ProductVersion: 3.30.5.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
276
Monitored processes
135
Malicious processes
6
Suspicious processes
18

Behavior graph

Click at the process to see the details
start efa3abe8_.bat.exe efa3abe8_.bat.tmp no specs efa3abe8_.bat.exe efa3abe8_.bat.tmp funzip.exe conhost.exe no specs men.exe cmd.exe no specs conhost.exe no specs nvidia.exe wmic.exe no specs #VALLEYRAT nthandlecallback.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs slui.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs main.exe no specs main.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs takeown.exe no specs icacls.exe no specs ping.exe no specs takeown.exe no specs icacls.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
144"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -WindowStyle Hidden -Command "[Console]::OutputEncoding=[System.Text.Encoding]::UTF8;(Get-MpPreference).ExclusionPath|Out-String -Width 4096"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeNtHandleCallback.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
272cmd /c "takeown /f "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\WindowsPowerShell.WbemScripting.SWbemLocator" /a >nul 2>&1 & icacls "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\WindowsPowerShell.WbemScripting.SWbemLocator" /grant Administrators:F >nul 2>&1 & takeown /f "C:\\Windows\\System32\\Tasks\WindowsPowerShell.WbemScripting.SWbemLocator" /grant Administrators:F >nul 2>&1 & icacls "C:\\Windows\\System32\\Tasks\WindowsPowerShell.WbemScripting.SWbemLocator" /deny Everyone:D >nul 2>&1 & powershell -Command \"$regPath = 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\WindowsPowerShell.WbemScripting.SWbemLocator'; $acl = (Get-Item -Path $regPath).GetAccessControl(); $acl.SetAccessRuleProtection($true); $acl.Access | ForEach-Object { $acl.RemoveAccessRule($_); }; $sidSystem = New-Object System.Security.Principal.Security.Identity('S-1-5-18'); $acl.AddAccessRule((New-Object System.Security.AccessControl.RegistryAccessRule($sidSystem,'FullControl','Allow'))); $acl.AddAccessRule((New-Object System.Security.AccessControl.RegistryAccessRule($sidAdmins,'ReadKey','Allow'))); $acl.AddAccessRule((New-Object System.Security.AccessControl.RegistryAccessRule($sidEveryone,'Delete','Deny'))); (Get-Item -Path $regPath).SetAccessControl($acl); Disable-ScheduledTask -TaskName 'WindowsPowerShell.WbemScripting.SWbemLocator'; Write-Host 'X' -ForegroundColor Green;\""C:\Windows\System32\cmd.exemen.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
480"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -WindowStyle Hidden -Command "[Console]::OutputEncoding=[System.Text.Encoding]::UTF8;(Get-MpPreference).ExclusionPath|Out-String -Width 4096"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeNtHandleCallback.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
564icacls "C:\\Windows\\System32\\Tasks\WindowsPowerShell.WbemScripting.SWbemLocator" /deny Everyone:D C:\Windows\System32\icacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
644"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -WindowStyle Hidden -Command "[Console]::OutputEncoding=[System.Text.Encoding]::UTF8;(Get-MpPreference).ExclusionPath|Out-String -Width 4096"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeNtHandleCallback.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
680\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
828icacls "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\WindowsPowerShell.WbemScripting.SWbemLocator" /grant Administrators:F C:\Windows\System32\icacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
3
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
864"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -WindowStyle Hidden -Command "[Console]::OutputEncoding=[System.Text.Encoding]::UTF8;(Get-MpPreference).ExclusionPath|Out-String -Width 4096"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeNtHandleCallback.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1076C:\Users\Public\Documents\WindowsData\main.exe 1C:\Users\Public\Documents\WindowsData\main.exemen.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\public\documents\windowsdata\main.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\psapi.dll
c:\windows\system32\drivers\fltmgr.sys
c:\windows\system32\ntoskrnl.exe
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
1108\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
69 028
Read events
69 026
Write events
2
Delete events
0

Modification events

(PID) Process:(8028) NVIDIA.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ezQNNONucxVoqepmIlodvzf
Operation:writeName:ImagePath
Value:
\??\C:\Users\admin\AppData\Local\Temp\ezQNNONucxVoqepmIlodvzf
(PID) Process:(8028) NVIDIA.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ezQNNONucxVoqepmIlodvzf
Operation:writeName:Type
Value:
1
Executable files
17
Suspicious files
10
Text files
201
Unknown types
0

Dropped files

PID
Process
Filename
Type
8164efa3abe8_.bat.tmpC:\ProgramData\WindowsData\is-3L789.tmp
MD5:
SHA256:
8164efa3abe8_.bat.tmpC:\ProgramData\WindowsData\server.xml
MD5:
SHA256:
8124efa3abe8_.bat.exeC:\Users\admin\AppData\Local\Temp\is-TGD73.tmp\efa3abe8_.bat.tmpexecutable
MD5:A2F62D2E3E17EC207C1CE977E799E986
SHA256:534A5B167207FD4DC0B56E16E8DFE1DB633D9B16CB4C5C6018D145326DF96E2D
8164efa3abe8_.bat.tmpC:\ProgramData\WindowsData\GYNXyPlTtM.xmltext
MD5:39E36678D35CB702B01CFE4D5E6452C0
SHA256:5190C9A71E17771B693C4953D302BF27B0AFF3D2744F10FEB994636FAD43F3F8
8164efa3abe8_.bat.tmpC:\ProgramData\WindowsData\is-0LF5A.tmptext
MD5:39E36678D35CB702B01CFE4D5E6452C0
SHA256:5190C9A71E17771B693C4953D302BF27B0AFF3D2744F10FEB994636FAD43F3F8
8164efa3abe8_.bat.tmpC:\ProgramData\WindowsData\Server.logbinary
MD5:3E5872564483A1277A09F1F503882D26
SHA256:A53FD944525EEBC9AB662B133811CA7D2041D25ABA5F69BB59D127D4ACFF6A62
2320men.exeC:\Users\Public\Documents\WindowsData\X.vbebinary
MD5:04264646287BB028AD5280CF4DA39358
SHA256:73526196AC0F863BD46F1BD0653CE42C429064E24FAF2AD917FF935E9BBDFFB5
2320men.exeC:\Users\Public\Documents\WindowsData\NVIDIA.exeexecutable
MD5:A83B94C5EFD303E10542547374BE2946
SHA256:EBC5F8EA7198A50A0074C6CECC0438FB962833A04FA568AB3B88587CC973E3C6
2320men.exeC:\Users\Public\Documents\WindowsData\BdApiUtil64.sysexecutable
MD5:29E1264DD642B646FBEF9BD347B1B860
SHA256:32198295D2A2700B9895FFF999C2B233F9BEFB0BC175815EC4B71EE926B6EDFC
2320men.exeC:\Users\Public\Documents\WindowsData\KGseKKdKce.exeexecutable
MD5:C416A4664A84A5BD4F8F032472E56CDD
SHA256:F327426FCAD7D11BBBD986F17B580EAF653428B80895ABDBC49F94853A90C9B3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
61
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
2.16.241.218:443
https://www.bing.com/AS/API/WindowsCortanaPane/V2/Suggestions?qry=&setlang=en-US&cc=US&nohs=1&qfm=1&cp=0&cvid=d78f227ba78a4992a181fb0a7816f5a0&ig=6894a89b028f4ab4bc8d21613848146c
unknown
unknown
GET
2.16.241.218:443
https://www.bing.com/dsb/scenario?name=TrendingSearchWithCache&cc=us&setlang=en-us
unknown
unknown
GET
2.16.241.205:443
https://www.bing.com/AS/API/WindowsCortanaPane/V2/Suggestions?qry=&setlang=en-US&cc=US&nohs=1&qfm=1&cp=0&cvid=d78f227ba78a4992a181fb0a7816f5a0&ig=978b6fc107794ba0b740eaa0651abf4a
unknown
unknown
2616
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2616
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2616
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
POST
200
40.126.31.0:443
https://login.live.com/RST2.srf
unknown
xml
11.3 Kb
unknown
POST
200
20.190.159.64:443
https://login.live.com/RST2.srf
unknown
xml
11.3 Kb
unknown
GET
200
20.74.47.205:443
https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=280815&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20251025T082111Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=5c2101412cdf418e9103c6d2bcd00793&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1360&dispsize=47.3&dispvertres=768&fosver=16299&isu=0&lo=4276820&metered=false&nettype=ethernet&npid=sc-280815&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=133.0.3065.92&tl=2&tsu=1667350&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2
unknown
binary
3.20 Kb
unknown
GET
200
20.74.47.205:443
https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=310091&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20251025T082111Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=6f69bef49ed84350bccebe161c28b8a2&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1360&dispsize=47.3&dispvertres=768&fosver=16299&isu=0&lo=4276820&metered=false&nettype=ethernet&npid=sc-310091&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&rver=2&smBiosDm=DELL&stabedgever=133.0.3065.92&tl=2&tsu=1667350&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2
unknown
binary
1.34 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
3420
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5596
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2616
svchost.exe
20.190.160.66:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.16.241.205:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2616
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
5596
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3440
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
1680
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
login.live.com
  • 20.190.160.66
  • 20.190.160.67
  • 20.190.160.5
  • 20.190.160.22
  • 40.126.32.74
  • 20.190.160.128
  • 40.126.32.138
  • 20.190.160.132
whitelisted
www.bing.com
  • 2.16.241.205
  • 2.16.241.201
  • 2.16.241.218
whitelisted
google.com
  • 142.250.186.46
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
arc.msn.com
  • 20.223.35.26
  • 20.199.58.43
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 74.178.76.128
whitelisted
www.microsoft.com
  • 104.79.89.142
whitelisted

Threats

No threats detected
Process
Message
men.exe
end
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
efa3abe8_.bat