File name:

WindowsUpdate.ps1

Full analysis: https://app.any.run/tasks/adcdcdce-f58d-4874-9cc0-543c0f61d0b0
Verdict: Malicious activity
Analysis date: May 18, 2025, 10:15:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
susp-powershell
lua
Indicators:
MIME: text/plain
File info: Unicode text, UTF-16, little-endian text, with very long lines (4729), with CRLF line terminators
MD5:

11159D6A99B66A8F158F7410350CA727

SHA1:

EFBFFC809D1645BC196231951AA1E7F695180CD3

SHA256:

7C846629E0C60135165A240803E8DF5A9E5D4A8588B903D431D07E7A63C508B3

SSDEEP:

192:BJEaBB8CMPVQwdja9Pfx6ShbaHAIUtb1LjtsBJ5WzeBydapie2ISrt:BFBB8NRa9PgShbaHHUtbJeP5WzEydapG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Modifies registry (POWERSHELL)

      • powershell.exe (PID: 8012)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7412)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • vlc.exe (PID: 2320)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 8012)
      • powershell.exe (PID: 7412)

    • Checks a user's role membership (POWERSHELL)

      • powershell.exe (PID: 8012)

  • INFO

    • Reads the computer name

      • vlc.exe (PID: 2320)

    • Checks supported languages

      • vlc.exe (PID: 2320)

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • vlc.exe (PID: 2320)

    • The process uses Lua

      • vlc.exe (PID: 2320)

    • Manual execution by a user

      • powershell.exe (PID: 8012)
      • powershell.exe (PID: 7412)

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 8012)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 8012)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 8012)

    • Gets or sets the time when the file was last written to (POWERSHELL)

      • powershell.exe (PID: 8012)

    • Disables trace logs

      • powershell.exe (PID: 7412)

    • Checks proxy server information

      • powershell.exe (PID: 7412)
      • slui.exe (PID: 5116)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.txt | Text - UTF-16 (LE) encoded (66.6)
.mp3 | MP3 audio (33.3)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
143
Monitored processes
9
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start vlc.exe no specs sppextcomobj.exe no specs slui.exe no specs powershell.exe no specs conhost.exe no specs slui.exe no specs rundll32.exe no specs powershell.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2320"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file C:\Users\admin\AppData\Local\Temp\WindowsUpdate.ps1.mp3C:\Program Files\VideoLAN\VLC\vlc.exeexplorer.exe
User:
admin
Company:
VideoLAN
Integrity Level:
MEDIUM
Description:
VLC media player
Version:
3.0.11
Modules
Images
c:\program files\videolan\vlc\vlc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5116C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7256C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7288"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7412"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass "C:\Users\admin\Documents\WindowsPowerShell\profile.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
3221225786
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
7500C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
7540\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
8012"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
8020\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
12 339
Read events
12 338
Write events
1
Delete events
0

Modification events

(PID) Process:(8012) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Updater
Value:
"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden
Executable files
2
Suspicious files
6
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
8012powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:D0E18F2F93CB89F64926387CC27A6365
SHA256:93A41A7E172B33EC19651398A3393F1A71F5352F716FB425989D12D5123ED951
8012powershell.exeC:\Users\admin\Documents\WindowsPowerShell\profile.ps1text
MD5:345616EB44754F1A9A4EDAF2D401FCFD
SHA256:A28C933DCB00FE8036D259E310B30647DA6416D6FA3BAE1CD418497671A15886
8012powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_u3rcdg5w.siu.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8012powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txttext
MD5:0F6393E1DF3127CCDC15C88A35FDD1C6
SHA256:C3C419652F0F210A39CE91B9F93A74BAB9A539E8712225F80A58C3DFA12E30D3
2320vlc.exeC:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.ini.At2320text
MD5:31E815A0DB3506CF757542A17871BECE
SHA256:359B55079DACA0F8AD59A1B4AF0B74A4349C8C4C77EE5E43E5484DCFBAFB70E5
2320vlc.exeC:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.ini.locktext
MD5:790C0DD3BB21B3C3E66A81D7BB8BF315
SHA256:2BE81EAC32F563E2FE575DED688B43037DB1C241412A08EC23797512DA252EC7
8012powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CCR58AFDU0418E08QGI1.tempbinary
MD5:D0E18F2F93CB89F64926387CC27A6365
SHA256:93A41A7E172B33EC19651398A3393F1A71F5352F716FB425989D12D5123ED951
2320vlc.exeC:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.initext
MD5:31E815A0DB3506CF757542A17871BECE
SHA256:359B55079DACA0F8AD59A1B4AF0B74A4349C8C4C77EE5E43E5484DCFBAFB70E5
8012powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF110b86.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
7412powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF12865e.TMPbinary
MD5:D0E18F2F93CB89F64926387CC27A6365
SHA256:93A41A7E172B33EC19651398A3393F1A71F5352F716FB425989D12D5123ED951
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WindowsUpdate.ps1