File name:	01062025_1434_13.vbs
Full analysis:	https://app.any.run/tasks/d86be30c-4a46-4750-9589-7c4e0a2c4e8e
Verdict:	Malicious activity
Analysis date:	June 01, 2025, 14:40:50
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	evasion arch-exec arch-doc python
Indicators:
MIME:	text/plain
File info:	ASCII text
MD5:	0A8088B58AC914A3717CC91932B6C28A
SHA1:	7BE27F7807F485367649E668CD8F6F4B47D230F2
SHA256:	6D22E034B72328D1D63DDFBCBB8D0F3397A057467321098EDF36801A742CA1E4
SSDEEP:	6:j6Nqsks8XI+gPVmLyFPbGVzLh8JdDh8iB8XIYAGQO0wKjFl8u8v:Jsd8XIPPs+FPbGVvGHDh8O8XIYAHpwoe


(PID) Process:	(1696) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(1696) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(1696) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(1696) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(1696) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(1696) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(1696) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(1696) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\python311.zip
(PID) Process:	(1696) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList
Operation:	write	Name:	ArcSort
Value: 32
(PID) Process:	(1696) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList
Operation:	write	Name:	ArcSort
Value: 0

PID	Process	Filename		Type
5176	powershell.exe	C:\Users\admin\AppData\Local\Temp\python-embed.zip		compressed
		MD5:9199879FBAD4884ED93DDF77E8764920	SHA256:6347068CA56BF4DD6319F7EF5695F5A03F1ADE3E9AA2D6A095AB27FAA77A1290
7376	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gqvo3fjb.tce.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7376	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2x0rj1jx.1uq.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5176	powershell.exe	C:\Temp\PortablePython\LICENSE.txt		text
		MD5:B52C821C7750804295E23B9E94525085	SHA256:E502C6B880FF58D614901495A9009C136539CD0B1E2A2ABB8FC00B934C203419
5176	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wgp24zyg.jip.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5176	powershell.exe	C:\Temp\PortablePython\pyexpat.pyd		executable
		MD5:D7ECC2746314FEC5CA46B64C964EA93E	SHA256:58B95F03A2D7EC49F5260E3E874D2B9FB76E95ECC80537E27ABEF0C74D03CB00
5176	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_k5qflizk.xfq.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7376	powershell.exe	C:\Users\admin\AppData\Local\Temp\script.ps1		text
		MD5:9303AF8A1310D4A66684A660ED286551	SHA256:644D9AADA9EBE7D434753097BFA8875C4C41B545E8DD63E69EF54A6FEDE66624
5176	powershell.exe	C:\Temp\PortablePython\pythonw.exe		executable
		MD5:837DD66E580DDC9B5DCC191156A202C2	SHA256:E65ECC6B135F8C2269A2163F5C906376F2FEA3B61571D312D779F36F772CEAC1
5176	powershell.exe	C:\Temp\PortablePython\python.exe		executable
		MD5:AF3E610BE9DCBF04D79C40C328316F81	SHA256:01FD1819096D112696BD2152068C1195C9BD4F57B6AB776EDDD98D66D44B8259

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6544	svchost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
—	—	POST	200	20.190.159.73:443	https://login.live.com/RST2.srf	unknown	xml	10.3 Kb	whitelisted
—	—	POST	200	40.126.32.136:443	https://login.live.com/RST2.srf	unknown	xml	11.0 Kb	whitelisted
—	—	POST	200	20.190.159.73:443	https://login.live.com/RST2.srf	unknown	xml	11.0 Kb	whitelisted
—	—	POST	200	20.190.160.14:443	https://login.live.com/RST2.srf	unknown	xml	10.3 Kb	whitelisted
—	—	POST	200	40.126.32.136:443	https://login.live.com/RST2.srf	unknown	xml	10.3 Kb	whitelisted
—	—	GET	200	151.101.64.223:443	https://www.python.org/ftp/python/3.11.8/python-3.11.8-embed-amd64.zip	unknown	compressed	10.6 Mb	whitelisted
—	—	GET	200	172.67.162.155:443	https://duwesfm.com/1.ps1	unknown	text	2.40 Kb	—
—	—	GET	200	172.202.163.200:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	compressed	23.9 Kb	whitelisted
5176	powershell.exe	GET	200	34.160.111.145:80	http://ifconfig.me/ip	unknown	—	—	shared

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
6544	svchost.exe	20.190.159.75:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6544	svchost.exe	2.23.77.188:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
2112	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7552	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1056	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7376	powershell.exe	104.21.15.124:443	duwesfm.com	CLOUDFLARENET	—	unknown

Domain	IP	Reputation
login.live.com	20.190.159.75 20.190.159.0 40.126.31.2 40.126.31.128 20.190.159.129 40.126.31.0 20.190.159.64 20.190.159.128	whitelisted
settings-win.data.microsoft.com	40.127.240.158 4.231.128.59	whitelisted
google.com	172.217.18.14	whitelisted
ocsp.digicert.com	2.23.77.188	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
duwesfm.com	104.21.15.124 172.67.162.155	unknown
ifconfig.me	34.160.111.145	shared
www.python.org	151.101.0.223 151.101.192.223 151.101.128.223 151.101.64.223	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted
crl.microsoft.com	23.48.23.143 23.48.23.156	whitelisted

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET INFO PS1 Powershell File Request
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
2196	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Lookup Domain (ifconfig .me)
5176	powershell.exe	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
5176	powershell.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain (ifconfig .me)
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
5176	powershell.exe	Device Retrieving External IP Address Detected	SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
2196	svchost.exe	Misc activity	ET FILE_SHARING File Hosting Service Domain Domain in DNS Lookup (files .pythonhosted .org)
856	python.exe	Misc activity	ET INFO Observed File Hosting Service Domain (files .pythonhosted .org in TLS SNI)

General Info

01062025_1434_13.vbs

0A8088B58AC914A3717CC91932B6C28A

7BE27F7807F485367649E668CD8F6F4B47D230F2

6D22E034B72328D1D63DDFBCBB8D0F3397A057467321098EDF36801A742CA1E4

6:j6Nqsks8XI+gPVmLyFPbGVzLh8JdDh8iB8XIYAGQO0wKjFl8u8v:Jsd8XIPPs+FPbGVvGHDh8O8XIYAHpwoe

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes powershell execution policy (RemoteSigned)

SUSPICIOUS

The process bypasses the loading of PowerShell profile settings

Probably obfuscated PowerShell command line is found

Downloads file from URI via Powershell

Manipulates environment variables

The process executes Powershell scripts

Starts POWERSHELL.EXE for commands execution

Runs shell command (SCRIPT)

Application launched itself

Checks for external IP

Process drops python dynamic module

The process drops C-runtime libraries

Gets file extension (POWERSHELL)

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

Loads Python modules

Process drops legitimate windows executable

INFO

Checks proxy server information

Disables trace logs

Manual execution by a user

The sample compiled with english language support

Checks if a key exists in the options dictionary (POWERSHELL)

Python executable

Checks whether the specified file exists (POWERSHELL)

Checks supported languages

Create files in a temporary directory

Checks operating system version

Drops encrypted JS script (Microsoft Script Encoder)

Reads the computer name

Reads the machine GUID from the registry

Reads security settings of Internet Explorer

Reads Microsoft Office registry keys

Creates files or folders in the user directory

Reads the software policy settings

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity