File name:

MAS_AIO-CRC32_8C3AA7E0.cmd

Full analysis: https://app.any.run/tasks/aa7c7431-0758-4ba4-961d-6821d62b33cd
Verdict: Malicious activity
Analysis date: August 30, 2024, 20:26:50
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with very long lines (311), with CRLF line terminators
MD5:

92CC8F1F67A875563D1299E7DD7B5723

SHA1:

BEE4ADFE87603F91067B9F868F7F42B34B2FBDEB

SHA256:

D666A4C7810B9D3FE9749F2D4E15C5A65D4AC0D7F0B14A144D6631CE61CC5DF3

SSDEEP:

3072:O/dR3S9mF2TJRMP0u+RciNiYFRd8nVFR3mP5sLtV7bJuAMTVFp6zGDNSCE2K0xOn:UAnHu+R7VLo97bJu9p6zGDNS0KgOuCV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 4540)
      • cmd.exe (PID: 2892)
      • powershell.exe (PID: 368)
      • cmd.exe (PID: 4080)
      • cmd.exe (PID: 964)
      • cmd.exe (PID: 5988)
      • cmd.exe (PID: 6708)
      • cmd.exe (PID: 3728)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 4540)
      • cmd.exe (PID: 4080)
      • cmd.exe (PID: 5988)
      • cmd.exe (PID: 3672)

    • Application launched itself

      • cmd.exe (PID: 4540)
      • cmd.exe (PID: 2892)
      • cmd.exe (PID: 4080)
      • cmd.exe (PID: 964)
      • cmd.exe (PID: 6708)
      • cmd.exe (PID: 3728)
      • cmd.exe (PID: 5988)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 4540)
      • cmd.exe (PID: 4080)
      • cmd.exe (PID: 5988)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4540)
      • cmd.exe (PID: 4008)
      • cmd.exe (PID: 5988)
      • cmd.exe (PID: 3832)

    • Executing commands from ".cmd" file

      • cmd.exe (PID: 4540)
      • powershell.exe (PID: 368)
      • cmd.exe (PID: 4080)
      • cmd.exe (PID: 5988)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 4080)
      • cmd.exe (PID: 5988)
      • cmd.exe (PID: 3672)

    • Hides command output

      • cmd.exe (PID: 4008)
      • cmd.exe (PID: 2476)
      • cmd.exe (PID: 788)
      • cmd.exe (PID: 3140)
      • cmd.exe (PID: 6556)
      • cmd.exe (PID: 5476)
      • cmd.exe (PID: 6380)
      • cmd.exe (PID: 6712)
      • cmd.exe (PID: 6140)
      • cmd.exe (PID: 5344)
      • cmd.exe (PID: 2992)
      • cmd.exe (PID: 3972)
      • cmd.exe (PID: 4708)
      • cmd.exe (PID: 5212)
      • cmd.exe (PID: 368)
      • cmd.exe (PID: 3672)
      • cmd.exe (PID: 568)
      • cmd.exe (PID: 7084)
      • cmd.exe (PID: 6836)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 4008)
      • cmd.exe (PID: 5988)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 4008)
      • cmd.exe (PID: 5988)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6984)

    • Gets content of a file (POWERSHELL)

      • powershell.exe (PID: 6984)

    • The process creates files with name similar to system file names

      • Dism.exe (PID: 6800)

    • Executable content was dropped or overwritten

      • Dism.exe (PID: 6800)

    • Process drops legitimate windows executable

      • Dism.exe (PID: 6800)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 5988)

    • Reads data from a binary Stream object (SCRIPT)

      • cscript.exe (PID: 4060)

    • The process executes VB scripts

      • cmd.exe (PID: 5988)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • cscript.exe (PID: 4060)

    • Gets full path of the running script (SCRIPT)

      • cscript.exe (PID: 4060)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 6556)
      • cmd.exe (PID: 5212)

    • Starts a Microsoft application from unusual location

      • DismHost.exe (PID: 32)

    • Uses WMIC.EXE to obtain service application data

      • cmd.exe (PID: 5988)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 4540)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 2816)
      • WMIC.exe (PID: 6724)
      • cscript.exe (PID: 4060)
      • WMIC.exe (PID: 6500)
      • WMIC.exe (PID: 3672)
      • WMIC.exe (PID: 4088)
      • WMIC.exe (PID: 6504)
      • WMIC.exe (PID: 5096)
      • WMIC.exe (PID: 6452)
      • WMIC.exe (PID: 6984)

    • Checks operating system version

      • cmd.exe (PID: 4540)
      • cmd.exe (PID: 4080)
      • cmd.exe (PID: 5988)

    • The process uses the downloaded file

      • powershell.exe (PID: 368)

    • Checks supported languages

      • mode.com (PID: 6852)
      • mode.com (PID: 2056)
      • mode.com (PID: 5164)
      • DismHost.exe (PID: 32)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 6984)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 6984)

    • Create files in a temporary directory

      • Dism.exe (PID: 6800)

    • Reads the computer name

      • DismHost.exe (PID: 32)

    • Reads Environment values

      • DismHost.exe (PID: 32)

    • Reads Microsoft Office registry keys

      • reg.exe (PID: 3832)
      • reg.exe (PID: 6780)
      • reg.exe (PID: 1700)
      • reg.exe (PID: 888)
      • reg.exe (PID: 7040)
      • reg.exe (PID: 6196)

    • Creates files in the program directory

      • cmd.exe (PID: 5988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.bib/bibtex/txt | BibTeX references (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
346
Monitored processes
216
Malicious processes
6
Suspicious processes
5

Behavior graph

Click at the process to see the details
start notepad.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs find.exe no specs findstr.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs fltmc.exe no specs powershell.exe no specs cmd.exe conhost.exe no specs sc.exe no specs find.exe no specs findstr.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs fltmc.exe no specs reg.exe no specs find.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs sc.exe no specs find.exe no specs findstr.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs fltmc.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs ping.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs reg.exe no specs mode.com no specs choice.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs mode.com no specs choice.exe no specs mode.com no specs powershell.exe no specs powershell.exe no specs find.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs find.exe no specs wmic.exe no specs find.exe no specs sc.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs reg.exe no specs find.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs find.exe no specs sc.exe no specs sc.exe no specs find.exe no specs sc.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs powershell.exe no specs sppextcomobj.exe no specs slui.exe no specs cmd.exe no specs find.exe no specs dism.exe dismhost.exe tiworker.exe no specs cmd.exe no specs cmd.exe no specs reg.exe no specs cscript.exe no specs cmd.exe no specs wmic.exe no specs find.exe no specs cmd.exe no specs findstr.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs wmic.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powershell.exe no specs find.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs reg.exe no specs findstr.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs powershell.exe no specs find.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
32C:\Users\admin\AppData\Local\Temp\6421217B-3C08-4393-A613-9135440696B9\dismhost.exe {C6D017A7-BAF7-4BA7-A076-C4E5416A4109}C:\Users\admin\AppData\Local\Temp\6421217B-3C08-4393-A613-9135440696B9\DismHost.exe
Dism.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Dism Host Servicing Process
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\6421217b-3c08-4393-a613-9135440696b9\dismhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
208find /i "C:\Users\admin\AppData\Local\Temp" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
360fltmc C:\Windows\System32\fltMC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Filter Manager Control Program
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\fltmc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
360cmd /c exit /b 0C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
368powershell.exe "start cmd.exe -arg '/c \""""C:\Users\admin\Desktop\MAS_AIO-CRC32_8C3AA7E0.cmd.cmd""" -el \"' -verb runas" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
368C:\WINDOWS\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Microsoft\Office\ClickToRun /v InstallPath" 2>nulC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
376\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
568C:\WINDOWS\system32\cmd.exe /S /D /c" echo "127.69.2.6" "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
568C:\WINDOWS\system32\cmd.exe /c "reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\ClickToRun /v InstallPath" 2>nulC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
736powershell.exe "$acl = Get-Acl '"C:\WINDOWS\System32\spp\store\2.0"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
Total events
53 144
Read events
53 131
Write events
13
Delete events
0

Modification events

(PID) Process:(368) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(368) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(368) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(368) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2768) reg.exeKey:HKEY_CURRENT_USER\Console
Operation:writeName:QuickEdit
Value:
0
(PID) Process:(6552) reg.exeKey:HKEY_CURRENT_USER\Console
Operation:writeName:QuickEdit
Value:
1
(PID) Process:(1496) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide
Operation:writeName:LastScavengingStarvationReport
Value:
3314B4101BFBDA01
(PID) Process:(1496) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31128347
(PID) Process:(1496) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
280237107
Executable files
50
Suspicious files
1
Text files
22
Unknown types
0

Dropped files

PID
Process
Filename
Type
5092powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2rtq1m1m.0da.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
368powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_o3neudbt.zbk.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6660powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_mq5vgecn.z0s.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6660powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_nglsskod.nfj.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
368powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qlpaiso1.rlj.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6800Dism.exeC:\Windows\Logs\DISM\dism.logtext
MD5:43773F2BEEA0A0E5698F580E96FECD95
SHA256:A049F5E4815D6EEFC59D3975CFB11C3E6EC5B1C6FD7265CFD0E3B18061A0B720
6800Dism.exeC:\Users\admin\AppData\Local\Temp\6421217B-3C08-4393-A613-9135440696B9\DismCore.dllexecutable
MD5:681186B5696BA7D46B6681C027A659AD
SHA256:FBB5135DE4F6A5C9422A0B218D676930DB9BC9A2AEA0F7219077862912455914
6800Dism.exeC:\Users\admin\AppData\Local\Temp\6421217B-3C08-4393-A613-9135440696B9\AppxProvider.dllexecutable
MD5:396C483D62FEA5FA0FD442C8DC99D4EF
SHA256:36F2AF43F10FD76FEEF65BF574D79D3E27FD40DAF61249880511543C1F17AD91
6984powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_uwbmoqij.yil.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6800Dism.exeC:\Users\admin\AppData\Local\Temp\6421217B-3C08-4393-A613-9135440696B9\DismHost.exeexecutable
MD5:97CB1E2FCAB378421C4B91DF0C9F8310
SHA256:E36BCF02BC11F560761E943D0FAD37417078F6CBB473F85C72FCBC89E2600C58
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
27
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1280
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6308
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6308
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
6880
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6552
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6880
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3260
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1280
svchost.exe
40.126.32.76:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1280
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
6308
SIHClient.exe
40.68.123.157:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.206
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 40.126.32.76
  • 20.190.160.20
  • 40.126.32.138
  • 20.190.160.17
  • 40.126.32.140
  • 40.126.32.134
  • 20.190.160.14
  • 40.126.32.68
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
updatecheck.massgrave.dev
  • 127.69.2.6
unknown
slscr.update.microsoft.com
  • 40.68.123.157
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

No threats detected
Process
Message
Dism.exe
PID=6800 TID=3832 Instantiating the Provider Store. - CDISMImageSession::get_ProviderStore
Dism.exe
PID=6800 TID=3832 Initializing a provider store for the LOCAL session type. - CDISMProviderStore::Final_OnConnect
Dism.exe
PID=6800 TID=3832 Attempting to initialize the logger from the Image Session. - CDISMProviderStore::Final_OnConnect
Dism.exe
PID=6800 TID=3832 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
Dism.exe
PID=6800 TID=3832 Loading Provider from location C:\Windows\System32\Dism\LogProvider.dll - CDISMProviderStore::Internal_GetProvider
Dism.exe
PID=6800 TID=3832 Connecting to the provider located at C:\Windows\System32\Dism\LogProvider.dll. - CDISMProviderStore::Internal_LoadProvider
DismHost.exe
PID=32 TID=2400 Disconnecting the provider store - CDISMImageSession::Final_OnDisconnect
DismHost.exe
PID=32 TID=2400 Encountered a loaded provider DISMLogger. - CDISMProviderStore::Internal_DisconnectProvider
DismHost.exe
PID=32 TID=2400 Disconnecting Provider: DISMLogger - CDISMProviderStore::Internal_DisconnectProvider
Dism.exe
PID=6800 TID=3832 Encountered a loaded provider DISMLogger. - CDISMProviderStore::Internal_DisconnectProvider
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MAS_AIO-CRC32_8C3AA7E0.cmd