File name:	_eab74cb48e2926577d16ea10695b75185ca6c4b36f365c117e1cabe4900c6cd2.txt
Full analysis:	https://app.any.run/tasks/505813f2-819d-4fab-87a7-f193f96973f8
Verdict:	Malicious activity
Analysis date:	August 02, 2025, 04:07:22
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME:	text/plain
File info:	Unicode text, UTF-8 text, with very long lines (738)
MD5:	1EA32CF0E9D1919FF2BED1E8D79E3BAF
SHA1:	C13AA7BAB0AF75936E9CA8D43C97D7020632051C
SHA256:	EAB74CB48E2926577D16EA10695B75185CA6C4B36F365C117E1CABE4900C6CD2
SSDEEP:	192:mkaK9ymziLVWOr2jcyOuME+xOpYGJjxKn60W:mNj0OT9Ox


(PID) Process:	(7008) StartMenuExperienceHost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TileDataModel\Migration\StartNonLayoutProperties
Operation:	write	Name:	Completed
Value: 1
(PID) Process:	(7008) StartMenuExperienceHost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TileDataModel\Migration\StartNonLayoutProperties_AppUsageData
Operation:	write	Name:	Completed
Value: 1
(PID) Process:	(7008) StartMenuExperienceHost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TileDataModel\Migration\StartNonLayoutProperties_TargetedContentTiles
Operation:	write	Name:	Completed
Value: 1
(PID) Process:	(5676) SearchApp.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Flighting
Operation:	write	Name:	CachedFeatureString
Value:
(PID) Process:	(7008) StartMenuExperienceHost.exe	Key:	\REGISTRY\A\{33d3e75b-3ce0-3cb8-a5e6-26f939fcc9ad}\LocalState\DataCorruptionRecovery
Operation:	write	Name:	InitializationAttemptCount
Value: 01000000B0C3C3FB6203DC01
(PID) Process:	(7008) StartMenuExperienceHost.exe	Key:	\REGISTRY\A\{33d3e75b-3ce0-3cb8-a5e6-26f939fcc9ad}\LocalState\DataCorruptionRecovery
Operation:	write	Name:	InitializationAttemptCount
Value: 0000000063F1E9FB6203DC01
(PID) Process:	(5676) SearchApp.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings
Operation:	write	Name:	SafeSearchMode
Value: 1
(PID) Process:	(5676) SearchApp.exe	Key:	\REGISTRY\A\{0836b6ad-4f87-ba82-0a59-17a21df12247}\LocalState
Operation:	write	Name:	BINGIDENTITY_PROP_USEREMAIL
Value: 0000ED8D06FC6203DC01
(PID) Process:	(5676) SearchApp.exe	Key:	\REGISTRY\A\{0836b6ad-4f87-ba82-0a59-17a21df12247}\LocalState
Operation:	write	Name:	BINGIDENTITY_PROP_ACCOUNTTYPETEXT
Value: 000015F108FC6203DC01
(PID) Process:	(5676) SearchApp.exe	Key:	\REGISTRY\A\{0836b6ad-4f87-ba82-0a59-17a21df12247}\LocalState
Operation:	write	Name:	BINGIDENTITY_PROP_ACCOUNTTYPE
Value: 000015F108FC6203DC01

PID	Process	Filename		Type
1056	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_v5emcnho.4px.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1056	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EF3SR19WZHVJRQQDPWZQ.temp		binary
		MD5:AECC159C182B1D1CE9C45E3C76324467	SHA256:EF506B339BA6C7987F8266FFA1656364ADB2D4E4286F24572973E9362FE92C4D
1056	powershell.exe	C:\Users\admin\AppData\Local\Temp\chnzw540.cmdline		text
		MD5:D411CDDF0D97F4B7B34329555C7E168F	SHA256:30B199E8D652C6C19DC1B6773E9480392A975E13033A05B117C262BFAF47CAAA
1056	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF18dc22.TMP		binary
		MD5:00A03B286E6E0EBFF8D9C492365D5EC2	SHA256:4DBFC417D053BA6867308671F1C61F4DCAFC61F058D4044DB532DA6D3BDE3615
3052	csc.exe	C:\Users\admin\AppData\Local\Temp\CSCB50D8D3FBA4B6C8E545C2F892C5C53.TMP		res
		MD5:5BB520DB6955D18A41EBC76195A8D8CF	SHA256:00F0BECA4FA26CA62F0671D89AC08E1A460B96F38A791D10EF0D8776178C5135
5236	csc.exe	C:\Users\admin\AppData\Local\Temp\chnzw540.out		text
		MD5:EFF1D29C7487311514196FB1097FA325	SHA256:D30D0A58CD5B900F6828FD7C52BB225A6E2FB6020EEB15D3DB405F6BFB02BA44
1056	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cntpxvyb.2dk.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5236	csc.exe	C:\Users\admin\AppData\Local\Temp\chnzw540.dll		executable
		MD5:A93C15316AEB5AE3DE831F199E7CE1F7	SHA256:F9F0AFE491C7D18441DCE9F857BC336693DEC57A527ADD45DD7A63E77733A36E
1056	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms		binary
		MD5:AECC159C182B1D1CE9C45E3C76324467	SHA256:EF506B339BA6C7987F8266FFA1656364ADB2D4E4286F24572973E9362FE92C4D
3052	csc.exe	C:\Users\admin\AppData\Local\Temp\yoaog0n2.out		text
		MD5:C9F877CC2F6B88E77FB301199E5CFE8C	SHA256:D5AE66B691EBFE113418D90272E3BCA984D3B3BA767CD7F4F3B871F057F0C949

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	23.216.77.42:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3584	RUXIMICS.exe	GET	200	23.216.77.42:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.216.77.42:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3584	RUXIMICS.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	92.123.104.52:443	https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init	unknown	html	132 Kb	whitelisted
—	—	GET	200	92.123.104.31:443	https://www.bing.com/manifest/threshold.appcache	unknown	text	2.97 Kb	whitelisted
—	—	POST	204	92.123.104.62:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	whitelisted
—	—	GET	200	92.123.104.38:443	https://www.bing.com/rb/16/jnc,nj/-M-8YWX0KlEtdAHVrkTvKQHOghs.js?bu=Dicwe4sBkgGVAYgBgQGFAcABwwEwuAHGAQ&or=w	unknown	binary	22.0 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
5944	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3584	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	23.216.77.42:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	23.216.77.42:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3584	RUXIMICS.exe	23.216.77.42:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
1268	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.104.136.2	whitelisted
google.com	142.250.185.174	whitelisted
crl.microsoft.com	23.216.77.42 23.216.77.6	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
wallpapercave.com	172.66.169.189 104.20.34.47	whitelisted
www.bing.com	92.123.104.31 92.123.104.63 92.123.104.34 92.123.104.33 92.123.104.62 92.123.104.38 92.123.104.52 92.123.104.32	whitelisted
self.events.data.microsoft.com	104.208.16.89	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

General Info

_eab74cb48e2926577d16ea10695b75185ca6c4b36f365c117e1cabe4900c6cd2.txt

1EA32CF0E9D1919FF2BED1E8D79E3BAF

C13AA7BAB0AF75936E9CA8D43C97D7020632051C

EAB74CB48E2926577D16EA10695B75185CA6C4B36F365C117E1CABE4900C6CD2

192:mkaK9ymziLVWOr2jcyOuME+xOpYGJjxKn60W:mNj0OT9Ox

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Bypass execution policy to execute commands

Deletes shadow copies

SUSPICIOUS

CSC.EXE is used to compile C# code

Executes as Windows Service

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Reads the date of Windows installation

Gets path to any of the special folders (POWERSHELL)

Creates new GUID (POWERSHELL)

Writes data into a file (POWERSHELL)

INFO

Reads the machine GUID from the registry

Checks supported languages

Disables trace logs

Create files in a temporary directory

Reads the computer name

Checks proxy server information

Process checks computer location settings

Script raised an exception (POWERSHELL)

Reads the software policy settings

Reads Environment values

Reads security settings of Internet Explorer

Checks if a key exists in the options dictionary (POWERSHELL)

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings