| File name: | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive |
| Full analysis: | https://app.any.run/tasks/30a35cbe-f7de-43c4-b89b-440974ddcb19 |
| Verdict: | Malicious activity |
| Analysis date: | April 26, 2020, 08:37:24 |
| OS: | Windows 10 Professional (build: 16299, 64 bit) |
| Indicators: | |
| MIME: | application/octet-stream |
| File info: | data |
| MD5: | 2923800BD3C347420953E29BF46DA3DB |
| SHA1: | 4674F688EDD7F8B17158972046FACE664DCCC1C5 |
| SHA256: | 8EBA227C515B8B06F1D118E2A3A0EACA0723A93B861EBF2BA9805B4BC6A757A6 |
| SSDEEP: | 384:gOQsmws3xnWAQzWhJiBN2jKbj8z3/dwXWGJ2o/ioFhZHSQV/gVifsR8piY6isyEE:MhBN/Ji/tjU/dAWGIaioFX7/ufeV6hyP |
MALICIOUS
No malicious indicators.SUSPICIOUS
Executed via COM
- OpenWith.exe (PID: 5992)
- RuntimeBroker.exe (PID: 5352)
- rundll32.exe (PID: 4232)
- OpenWith.exe (PID: 6024)
- OpenWith.exe (PID: 4448)
Modifies the open verb of a shell class
- OpenWith.exe (PID: 5992)
Checks supported languages
- OpenWith.exe (PID: 5992)
- powershell.exe (PID: 2516)
- RuntimeBroker.exe (PID: 5352)
- OpenWith.exe (PID: 6024)
- powershell.exe (PID: 1108)
Executes PowerShell scripts
- OpenWith.exe (PID: 5992)
- OpenWith.exe (PID: 6024)
Creates files in the user directory
- powershell.exe (PID: 2516)
- powershell.exe (PID: 1108)
Reads the machine GUID from the registry
- powershell.exe (PID: 2516)
- powershell.exe (PID: 1108)
INFO
Reads settings of System Certificates
- powershell.exe (PID: 2516)
- powershell.exe (PID: 1108)
Reads the software policy settings
- powershell.exe (PID: 2516)
- powershell.exe (PID: 1108)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
92
Monitored processes
10
Malicious processes
0
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 384 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\WINDOWS\system32\conhost.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1108 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\admin\AppData\Local\Temp\StartupProfileData-NonInteractive" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | OpenWith.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2516 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\admin\AppData\Local\Temp\StartupProfileData-NonInteractive" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | OpenWith.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3560 | "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\StartupProfileData-NonInteractive | C:\WINDOWS\system32\rundll32.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4232 | C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding | C:\WINDOWS\System32\rundll32.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4448 | C:\WINDOWS\system32\OpenWith.exe -Embedding | C:\WINDOWS\system32\OpenWith.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5352 | C:\Windows\System32\RuntimeBroker.exe -Embedding | C:\Windows\System32\RuntimeBroker.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Runtime Broker Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5708 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\WINDOWS\system32\conhost.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5992 | C:\WINDOWS\system32\OpenWith.exe -Embedding | C:\WINDOWS\system32\OpenWith.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6024 | C:\WINDOWS\system32\OpenWith.exe -Embedding | C:\WINDOWS\system32\OpenWith.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
5 322
Read events
4 939
Write events
382
Delete events
1
Modification events
| (PID) Process: | (3560) rundll32.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached |
| Operation: | write | Name: | {E44E9428-BDBC-4987-A099-40DC8FD255E7} {6A283FE2-ECFA-4599-91C4-E80957137B26} 0xFFFF |
Value: 01000000000000001CC27DEFA51BD601 | |||
| (PID) Process: | (5992) OpenWith.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\192\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (5992) OpenWith.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU |
| Operation: | write | Name: | MRUListEx |
Value: FFFFFFFF | |||
| (PID) Process: | (5992) OpenWith.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
| Operation: | write | Name: | NodeSlots |
Value: 0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202 | |||
| (PID) Process: | (5992) OpenWith.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
| Operation: | write | Name: | MRUListEx |
Value: 040000000300000000000000080000000100000007000000060000000500000002000000FFFFFFFF | |||
| (PID) Process: | (5992) OpenWith.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0 |
| Operation: | write | Name: | MRUListEx |
Value: 050000000100000004000000080000000700000006000000000000000200000003000000FFFFFFFF | |||
| (PID) Process: | (5992) OpenWith.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\40\Shell |
| Operation: | write | Name: | SniffedFolderType |
Value: Generic | |||
| (PID) Process: | (5992) OpenWith.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer |
| Operation: | write | Name: | GlobalAssocChangedCounter |
Value: 87 | |||
| (PID) Process: | (5992) OpenWith.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0\5 |
| Operation: | write | Name: | 4 |
Value: 6C003100000000003D4BD16D10005749443542317E310000540009000400EFBE3D4BD16D3D4BD16D2E0000000AA4010000000400000000000000000000000000000010495E00570069006E0064006F007700730050006F007700650072005300680065006C006C00000018000000 | |||
| (PID) Process: | (5992) OpenWith.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0\5 |
| Operation: | write | Name: | MRUListEx |
Value: 0400000003000000010000000200000000000000FFFFFFFF | |||
Executable files
0
Suspicious files
2
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2516 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\I3FTXFLDY20Q0LC3HJRE.temp | — | |
MD5:— | SHA256:— | |||
| 2516 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_radeikwv.2b1.ps1 | — | |
MD5:— | SHA256:— | |||
| 2516 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_joiatm5j.bij.psm1 | — | |
MD5:— | SHA256:— | |||
| 1108 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P9JBRE0ZQ066T74BSNM6.temp | — | |
MD5:— | SHA256:— | |||
| 1108 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ew0ojsit.zuu.ps1 | — | |
MD5:— | SHA256:— | |||
| 1108 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bftlvzvr.huc.psm1 | — | |
MD5:— | SHA256:— | |||
| 2516 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:— | SHA256:— | |||
| 1108 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
DNS requests
Domain | IP | Reputation |
|---|---|---|
self.events.data.microsoft.com |
| whitelisted |
Threats
Process | Message |
|---|---|
conhost.exe | InitSideBySide failed create an activation context. Error: 1814 |
conhost.exe | InitSideBySide failed create an activation context. Error: 1814 |