File name:

MAS_AIO.cmd

Full analysis: https://app.any.run/tasks/ac978fbe-eb95-4879-bbe7-26796cd34973
Verdict: Malicious activity
Analysis date: May 20, 2025, 22:25:48
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (322), with CRLF line terminators
MD5:

C629E3FC83392E4BC921FFF9C4744ECD

SHA1:

5FE666236F165A925967EF542B618AD297B747AF

SHA256:

D2D9A971593F588196FE6CE131B8E40FC23614B6AD833E76C8E9E6D5C8260A92

SSDEEP:

6144:6d94QImQ+5/T5ntq3kX1vT6lDrGtSNFX/QG+Dw3KWXbgu1p+fzGnFSQixBrSQ:6T4y5TDq4sDqKXl+E7XbnpPi3eQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • net.exe (PID: 2240)
      • cmd.exe (PID: 7572)
      • net.exe (PID: 5344)
      • net.exe (PID: 6632)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 4996)
      • cmd.exe (PID: 6108)
      • powershell.exe (PID: 7260)
      • cmd.exe (PID: 7732)
      • cmd.exe (PID: 7572)
      • cmd.exe (PID: 5392)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 6108)
      • cmd.exe (PID: 7572)

    • Application launched itself

      • cmd.exe (PID: 4996)
      • cmd.exe (PID: 6108)
      • cmd.exe (PID: 7572)
      • cmd.exe (PID: 5392)
      • cmd.exe (PID: 7732)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 6108)
      • cmd.exe (PID: 7572)
      • powershell.exe (PID: 7260)

    • Executing commands from ".cmd" file

      • cmd.exe (PID: 6108)
      • cmd.exe (PID: 7572)
      • powershell.exe (PID: 7260)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6108)
      • cmd.exe (PID: 7572)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 7572)

    • Hides command output

      • cmd.exe (PID: 8080)
      • cmd.exe (PID: 8128)
      • cmd.exe (PID: 300)
      • cmd.exe (PID: 3140)
      • cmd.exe (PID: 1052)
      • cmd.exe (PID: 680)
      • cmd.exe (PID: 2800)
      • cmd.exe (PID: 7352)
      • cmd.exe (PID: 7324)
      • cmd.exe (PID: 5328)
      • cmd.exe (PID: 2904)
      • cmd.exe (PID: 7020)
      • cmd.exe (PID: 8180)
      • cmd.exe (PID: 8132)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 7572)

    • Windows service management via SC.EXE

      • sc.exe (PID: 632)
      • sc.exe (PID: 1280)
      • sc.exe (PID: 6592)
      • sc.exe (PID: 5960)
      • sc.exe (PID: 1600)
      • sc.exe (PID: 4152)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 7572)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 3140)
      • cmd.exe (PID: 7572)
      • cmd.exe (PID: 4736)
      • cmd.exe (PID: 7880)
      • cmd.exe (PID: 7964)
      • cmd.exe (PID: 7392)
      • cmd.exe (PID: 7752)

    • Uses WMIC.EXE to obtain service application data

      • cmd.exe (PID: 7148)
      • cmd.exe (PID: 7572)

    • The process executes VB scripts

      • cmd.exe (PID: 7572)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • cscript.exe (PID: 7672)

    • Gets full path of the running script (SCRIPT)

      • cscript.exe (PID: 7672)

    • Connects to unusual port

      • SppExtComObj.Exe (PID: 8036)

  • INFO

    • Checks operating system version

      • cmd.exe (PID: 6108)
      • cmd.exe (PID: 7572)

    • Checks supported languages

      • mode.com (PID: 7904)
      • mode.com (PID: 7328)
      • mode.com (PID: 7000)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 7828)
      • WMIC.exe (PID: 2088)
      • WMIC.exe (PID: 5408)
      • WMIC.exe (PID: 6388)
      • WMIC.exe (PID: 4756)
      • WMIC.exe (PID: 7548)
      • WMIC.exe (PID: 616)
      • WMIC.exe (PID: 7336)
      • WMIC.exe (PID: 4448)
      • WMIC.exe (PID: 7524)
      • WMIC.exe (PID: 6468)
      • cscript.exe (PID: 7672)
      • WMIC.exe (PID: 7792)
      • WMIC.exe (PID: 7856)
      • WMIC.exe (PID: 5376)
      • WMIC.exe (PID: 7980)
      • WMIC.exe (PID: 8116)
      • WMIC.exe (PID: 5984)
      • WMIC.exe (PID: 7388)
      • WMIC.exe (PID: 4180)
      • WMIC.exe (PID: 6404)
      • WMIC.exe (PID: 456)
      • WMIC.exe (PID: 6080)
      • WMIC.exe (PID: 6208)
      • WMIC.exe (PID: 7244)
      • WMIC.exe (PID: 864)
      • WMIC.exe (PID: 6744)
      • WMIC.exe (PID: 1228)
      • WMIC.exe (PID: 904)
      • WMIC.exe (PID: 4452)
      • WMIC.exe (PID: 2316)
      • WMIC.exe (PID: 7316)
      • WMIC.exe (PID: 5956)
      • WMIC.exe (PID: 4528)
      • WMIC.exe (PID: 7784)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 7000)
      • mode.com (PID: 7328)
      • mode.com (PID: 7904)

    • Reads Microsoft Office registry keys

      • reg.exe (PID: 5228)
      • reg.exe (PID: 2568)
      • reg.exe (PID: 6132)
      • reg.exe (PID: 5956)
      • reg.exe (PID: 4152)
      • reg.exe (PID: 8188)
      • reg.exe (PID: 7920)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.bib/bibtex/txt | BibTeX references (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
422
Monitored processes
281
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs findstr.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs reg.exe no specs powershell.exe no specs sppextcomobj.exe no specs slui.exe no specs cmd.exe conhost.exe no specs findstr.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs mode.com no specs choice.exe no specs findstr.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs reg.exe no specs wmic.exe no specs find.exe no specs reg.exe no specs find.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs find.exe no specs reg.exe no specs find.exe no specs mode.com no specs choice.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs wmic.exe no specs find.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs mode.com no specs powershell.exe no specs cmd.exe no specs ping.exe no specs cmd.exe no specs ping.exe no specs cmd.exe no specs pathping.exe no specs cmd.exe no specs ping.exe no specs cmd.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs sc.exe no specs find.exe no specs net.exe no specs net1.exe no specs sc.exe no specs find.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs reg.exe no specs find.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs reg.exe no specs findstr.exe no specs reg.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs wmic.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs wmic.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs cscript.exe no specs findstr.exe no specs cmd.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs reg.exe no specs cmd.exe no specs wmic.exe no specs wmic.exe no specs sppextcomobj.exe slui.exe no specs cmd.exe no specs wmic.exe no specs slui.exe no specs cmd.exe no specs ping.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs slui.exe no specs wmic.exe no specs findstr.exe no specs wmic.exe no specs findstr.exe no specs reg.exe no specs reg.exe no specs sc.exe no specs find.exe no specs net.exe no specs net1.exe no specs sc.exe no specs find.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs ucpdmgr.exe no specs conhost.exe no specs ucpdmgr.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300C:\WINDOWS\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k 2>nul | FIND /I "CurrentVersion"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
456findstr /I /C:"O365BusinessRetail" "C:\WINDOWS\Temp\c2rchk.txt" C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
456wmic path SoftwareLicensingProduct where (ID='3f1afc82-f8ac-4f6c-8005-1d233e606eee') get LicenseStatus /value C:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
456\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeUCPDMgr.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
516reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /v KeyManagementServiceName /t REG_SZ /d "124.223.166.218" /reg:32 C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
536findstr /i "e0c42288-980c-4788-a014-c080d2e1926e" C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
616wmic path SoftwareLicensingProduct where (Description like '%KMSCLIENT%' ) get Name /value C:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
632sc query sppsvc C:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
668C:\WINDOWS\system32\cmd.exe /c ECHO Microsoft-Windows-ProfessionalEdition~31bf3856ad364e35~amd64~~10.0.19041.4046C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
668reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServicePort /t REG_SZ /d "1688" C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
Total events
27 997
Read events
27 968
Write events
22
Delete events
7

Modification events

(PID) Process:(5972) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform
Operation:writeName:NoGenTicket
Value:
1
(PID) Process:(5228) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform
Operation:writeName:KeyManagementServiceName
Value:
124.223.166.218
(PID) Process:(2568) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform
Operation:writeName:KeyManagementServicePort
Value:
1688
(PID) Process:(5056) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform
Operation:writeName:KeyManagementServiceName
Value:
124.223.166.218
(PID) Process:(4488) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform
Operation:writeName:KeyManagementServicePort
Value:
1688
(PID) Process:(6388) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663
Operation:writeName:KeyManagementServicePort
Value:
1688
(PID) Process:(4408) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663
Operation:writeName:KeyManagementServiceName
Value:
124.223.166.218
(PID) Process:(516) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663
Operation:writeName:KeyManagementServiceName
Value:
124.223.166.218
(PID) Process:(4452) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663
Operation:writeName:KeyManagementServicePort
Value:
1688
(PID) Process:(8188) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform
Operation:writeName:KeyManagementServiceName
Value:
101.32.163.10
Executable files
0
Suspicious files
1
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
7260powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:D4280B15F1B5DB0CAC13AB6E6B1F70B4
SHA256:B4CAF5B981C37E166CA184495C8D2CCC8685F4971E30DE9BD9F10AA306D0B84C
7260powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_tapvy5m0.ekb.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7976powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3f5qgik2.yc4.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7572cmd.exeC:\Windows\Temp\slmgr.vbstext
MD5:3903BCAB32A4A853DFA54962112D4D02
SHA256:95FC646D222D324DB46F603A7F675C329FE59A567ED27FDAED2A572A19206816
7260powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1iooeqql.3g5.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7976powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_x3vwnqfb.ggy.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7572cmd.exeC:\Windows\Temp\c2rchk.txttext
MD5:D57FBDD4D9B2D0BBACC4088E18EAF010
SHA256:D4F290F488267D8076273CD57451947C2EAF895E6DDB28BD41F252955C236E8F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
48
DNS requests
22
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7648
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
23.48.23.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7648
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.48.23.176
  • 23.48.23.147
  • 23.48.23.194
  • 23.48.23.141
  • 23.48.23.166
  • 23.48.23.158
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
google.com
  • 142.250.186.110
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.31.3
  • 40.126.31.0
  • 20.190.159.4
  • 20.190.159.129
  • 40.126.31.71
  • 40.126.31.131
  • 20.190.159.75
  • 20.190.159.130
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
win.kms.pub
  • 107.175.77.7
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MAS_AIO.cmd