File name:

Winhance.ps1

Full analysis: https://app.any.run/tasks/1cb06187-2d48-42fa-819d-91c2e27b77e4
Verdict: Malicious activity
Analysis date: February 08, 2025, 07:31:08
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

60CF39CDA00FC2FCA602B924EC1D5700

SHA1:

CE16EB16FA02AD3A2706870673890945618A791A

SHA256:

B3B6AEC0DA55A5BFA2FCEE847DBEEF5A5EE327AC2E5F7886629B637B6F7F8954

SSDEEP:

3072:IC2nUjV7vP5uxu1RkswSiRyw7sVuEK78qpfGdnZYKGwNLn/uVLgoUiqCtnewM:t2ngV7vP/SsVuEKVfGdnZnVn/igtp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 4628)
      • powershell.exe (PID: 3080)

    • Changes powershell execution policy (Bypass)

      • powershell.exe (PID: 4628)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 3080)

  • SUSPICIOUS

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 3724)
      • csc.exe (PID: 2928)
      • csc.exe (PID: 3436)
      • csc.exe (PID: 4716)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 3724)
      • csc.exe (PID: 2928)
      • csc.exe (PID: 3436)
      • csc.exe (PID: 4716)

    • Checks a user's role membership (POWERSHELL)

      • powershell.exe (PID: 4628)
      • powershell.exe (PID: 3080)

    • Application launched itself

      • powershell.exe (PID: 4628)

    • The process bypasses the loading of PowerShell profile settings

      • powershell.exe (PID: 4628)

    • The process executes Powershell scripts

      • powershell.exe (PID: 4628)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 4628)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 3080)

    • Gets content of a file (POWERSHELL)

      • powershell.exe (PID: 3080)

  • INFO

    • Checks supported languages

      • csc.exe (PID: 3724)
      • cvtres.exe (PID: 4136)
      • csc.exe (PID: 2928)
      • cvtres.exe (PID: 4264)
      • csc.exe (PID: 3436)
      • cvtres.exe (PID: 3532)
      • cvtres.exe (PID: 3364)
      • csc.exe (PID: 4716)

    • Create files in a temporary directory

      • cvtres.exe (PID: 4136)
      • csc.exe (PID: 3724)
      • csc.exe (PID: 2928)
      • cvtres.exe (PID: 4264)
      • cvtres.exe (PID: 3532)
      • csc.exe (PID: 3436)
      • cvtres.exe (PID: 3364)
      • csc.exe (PID: 4716)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 3724)
      • csc.exe (PID: 2928)
      • csc.exe (PID: 4716)
      • csc.exe (PID: 3436)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3080)

    • Reads mouse settings

      • powershell.exe (PID: 3080)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 3080)

    • Creates files in the program directory

      • powershell.exe (PID: 3080)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xaml | Microsoft Extensible Application Markup Language (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
12
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs powershell.exe conhost.exe no specs csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2928"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\uptfuzzq.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
3080"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\admin\Desktop\Winhance.ps1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3364C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESA0C7.tmp" "c:\Users\admin\AppData\Local\Temp\f20a5v2l\CSC9A8F1FB66C514C628829D7AB04D4B48.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1_clr0400.dll
3436"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\3xtywtyf\3xtywtyf.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
3532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES9FFC.tmp" "c:\Users\admin\AppData\Local\Temp\3xtywtyf\CSCC82E3F31A5894B89A1CA7E3126DB7A29.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1_clr0400.dll
3724"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\e5g5fkoq.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
4136C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES8F04.tmp" "c:\Users\admin\AppData\Local\Temp\CSCCCB2E3713BFE4DDEA19F4D5334C3D010.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_clr0400.dll
4264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES8FA1.tmp" "c:\Users\admin\AppData\Local\Temp\CSCEC3FC73350BA4AC989387A90C76233E.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase_clr0400.dll
4320\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4500\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
15 238
Read events
15 238
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
17
Text files
16
Unknown types
0

Dropped files

PID
Process
Filename
Type
4628powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G0XOLWQ3KUZNI7AD1L95.tempbinary
MD5:11A32DDF3E016C881FEFB37669CC9196
SHA256:C31F6FD3E05D38CFC5D9FDA3B6225ACB03B19750140C3CC500C15A050CBE667F
4628powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:11A32DDF3E016C881FEFB37669CC9196
SHA256:C31F6FD3E05D38CFC5D9FDA3B6225ACB03B19750140C3CC500C15A050CBE667F
4628powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1379c7.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
4628powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hvgvoodd.hvh.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4628powershell.exeC:\Users\admin\AppData\Local\Temp\e5g5fkoq.cmdlinetext
MD5:29FCA6068AC37D9655F2C6EE7008BD1A
SHA256:25679ED281A2A2B61356AFB9EA6E4AFADAF7FF218AE07A77855EA1A4373FD186
4628powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bxd3adab.rni.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2928csc.exeC:\Users\admin\AppData\Local\Temp\uptfuzzq.dllexecutable
MD5:D0B6D989BAFEED75F9929D746F3B7519
SHA256:682B3942180B4992431C3012C416EFB6386A8FB052D5D64FE09C05CD1D759026
4628powershell.exeC:\Users\admin\AppData\Local\Temp\uptfuzzq.0.cstext
MD5:192212FD8703F800C49BA96F01932522
SHA256:319AF060598B22FCEA608F61EF06539A09578B4AA8CAF3DFD1F5619A3D9F33CC
2928csc.exeC:\Users\admin\AppData\Local\Temp\CSCEC3FC73350BA4AC989387A90C76233E.TMPbinary
MD5:BA167B7FDEF29E6F2A603FBF488BA783
SHA256:FEAEB5560D7B42BC5C90B5F8B13C0B134098C22B9FFEE5B7B9FFEE408F2998E8
4628powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:1CE9B8CE3F69CA5D83AAD82997E529EE
SHA256:DCAD732C725A4E9AFFBF2B7A4EB194C9B4A869EA5ADFCC1343EE0E05631367DB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
19
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5392
svchost.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5392
svchost.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5392
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5392
svchost.exe
23.32.238.112:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.32.238.112:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5392
svchost.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3976
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5392
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 23.32.238.112
  • 23.32.238.107
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
self.events.data.microsoft.com
  • 20.42.65.93
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Winhance.ps1