{"id":7658,"date":"2024-04-18T11:03:01","date_gmt":"2024-04-18T11:03:01","guid":{"rendered":"\/cybersecurity-blog\/?p=7658"},"modified":"2024-04-18T11:03:12","modified_gmt":"2024-04-18T11:03:12","slug":"powershell-script-tracer","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/powershell-script-tracer\/","title":{"rendered":"New PowerShell Script Tracer: Analyze PowerShell Execution"},"content":{"rendered":"\n<p>PowerShell scripts are, in some way, present in a lot of malware attacks. Now you can analyze them in <a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=powershell_tracer&amp;utm_term=180424&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"564\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/1-min-2-1024x564.png\" alt=\"\" class=\"wp-image-7661\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/1-min-2-1024x564.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/1-min-2-300x165.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/1-min-2-768x423.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/1-min-2-1536x846.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/1-min-2-2048x1129.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/1-min-2-370x204.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/1-min-2-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/1-min-2-740x408.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><a href=\"https:\/\/app.any.run\/tasks\/d58441df-fc26-4709-9728-bedd265f9b38\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=powershell_tracer&amp;utm_term=180424&amp;utm_content=linktoservice\/\" target=\"_blank\" rel=\"noreferrer noopener\">Example<\/a>: use PowerShell tracer to analyze scripts written in this language<\/figcaption><\/figure><\/div>\n\n\n<p>PowerShell is a command-line shell and scripting language used by system administrators to automate system tasks and set up CI\/CD processes. However, hackers often use it to perform a variety of malicious actions, such as:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Download and execute malicious binaries from a separate source.&nbsp;<\/li>\n\n\n\n<li>Bypass antivirus software by executing the script in memory.&nbsp;<\/li>\n\n\n\n<li>Execute malicious scripts.&nbsp;<\/li>\n\n\n\n<li>Collect and exfiltrate system data.&nbsp;<\/li>\n\n\n\n<li>Remotely control the infected system.&nbsp;<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nAnalyze PowerShell Scripts in Malware in <span class=\"highlight\">ANY.RUN<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=powershell_tracer&#038;utm_term=180424&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nRegister for free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>Because PowerShell is bundled with all supported versions of Windows \u2014 and is sometimes installed on Linux, too attackers often use it to perform &#8220;leaving of the land&#8221; hacks, where legitimate system resources are used for malicious actions. PowerShell is a favorite tool of attackers. Scripts in this language are relatively easy to write, difficult to detect, and hard to analyze without specialized tools \u2014 in part because PowerShell scripts are well-suited for obfuscation. They can be heavily shortened, and it does not affect their functionality at all. For example, PowerShell supports partial name matching: this meanis that&nbsp;<strong>-encoded<\/strong> will work even if you write <strong>-enco<\/strong>, and this applies to all commands.&nbsp;<\/p>\n\n\n\n<p>In ANY.RUN, you can analyze malicious scripts by running malware in our interactive sandbox and seeing how scripts affected the system, or by using our Script Tracer. Tracer breaks down script execution step-by-step. It supports PowerShell as well as other scripting languages: JScript, VB Script, VBA, and Macro 4.0.&nbsp;<\/p>\n\n\n\n<p>It all works in our intuitive interface \u2014 true to ANY.RUN\u2019s spirit. &nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/script-tracer\/\" target=\"_blank\" rel=\"noreferrer noopener\">Read more about ANY.RUN Script Tracer \u2192<\/a>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Understand exactly what PowerShell scripts do in the system&nbsp;<\/h2>\n\n\n\n<p>PowerShell execution was the 4<sup>th<\/sup> most popular TTP we recorded in our Sandbox in Q1 2024 \u2014 out of all public tasks, it was present in 22,515. (<a href=\"https:\/\/any.run\/cybersecurity-blog\/malware-trends-q1-2024\/\" target=\"_blank\" rel=\"noreferrer noopener\">Read our full report for more malware statistics<\/a>). So how does the PowerShell script change the way you can approach scripts analysis?<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"565\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/2-4-1024x565.png\" alt=\"\" class=\"wp-image-7662\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/2-4-1024x565.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/2-4-300x165.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/2-4-768x424.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/2-4-1536x847.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/2-4-2048x1129.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/2-4-370x204.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/2-4-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/2-4-740x408.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><a href=\"https:\/\/app.any.run\/tasks\/26f9d5b0-6223-4152-8ec6-ca2cdcbb6616\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=powershell_tracer&amp;utm_term=180424&amp;utm_content=linktoservice\/\" target=\"_blank\" rel=\"noreferrer noopener\">Example<\/a>: Easily see detailed function input and output in PowerShell Tracer<\/figcaption><\/figure><\/div>\n\n\n<p><strong>Here&#8217;s what you can expect with the new PowerShell Script Tracer:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Automatic detection of PowerShell scripts. <\/strong>Now, when PowerShell executes during an analysis session, a PowerShell tab will automatically appear under the Script Tracer in Advanced Process Details \u2014 this tab becomes available after you&#8217;ve stopped the task. Click on it to see what that script did.&nbsp;<\/li>\n\n\n\n<li><strong>Detailed breakdown of every function. <\/strong>You can see the entry point, parameters, and exit point for every function in the script.&nbsp;<\/li>\n\n\n\n<li><strong>Connect related functions&#8217; inputs and outputs. <\/strong>Easily trace connections between function inputs and outputs by following the connection lines from one function to another.&nbsp;<\/li>\n\n\n\n<li><strong>Easy-to-use detail&#8217;s view<\/strong>. If a function receives a long parameter like an encoded string, you can expand the view to isolate and inspect the specific parameter data in binary, hexadecimal, and plaintext formats.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Let\u2019s Analyze a PowerShell Script From a Real-World Example&nbsp;<\/h2>\n\n\n\n<p>One of the biggest benefits for attackers using PowerShell is that the scripts can run covertly and leave minimal traces, making them challenging to analyze unless you have access to a dedicated PowerShell Tracer tool \u2014 like the one offered by ANY.RUN.&nbsp;<\/p>\n\n\n\n<p>Let&#8217;s break down how this tracer works by looking at <a href=\"https:\/\/app.any.run\/tasks\/d58441df-fc26-4709-9728-bedd265f9b38\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=powershell_tracer&amp;utm_term=180424&amp;utm_content=linktoservice\/\" target=\"_blank\" rel=\"noreferrer noopener\">this recorded interactive analysis session in ANY.RUN<\/a>, where attackers used PowerShell to download a malicious payload and bypass the execution policy to run it.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nRegister in <span class=\"highlight\">ANY.RUN<\/span> to follow along with this case study&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=powershell_tracer&#038;utm_term=180424&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nRegister for free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>First, let\u2019s orient ourselves in ANY.RUN\u2019s interface. How do you access the Script Tracer?&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"568\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/3-min-3-1024x568.png\" alt=\"\" class=\"wp-image-7663\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/3-min-3-1024x568.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/3-min-3-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/3-min-3-768x426.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/3-min-3-1536x852.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/3-min-3-2048x1135.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/3-min-3-370x205.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/3-min-3-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/3-min-3-740x410.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>The process tree on the right shows that a process launched a PowerShell command. To investigate it further, first click on that process in the tree. Then, in the <strong>process details tab <\/strong>that appears at the bottom, click on <strong>More info<\/strong>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"566\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/4-min-3-1024x566.png\" alt=\"\" class=\"wp-image-7664\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/4-min-3-1024x566.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/4-min-3-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/4-min-3-768x425.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/4-min-3-1536x849.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/4-min-3-2048x1132.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/4-min-3-370x205.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/4-min-3-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/4-min-3-740x409.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>An <strong>Advanced details of a process <\/strong>window will appear, replacing the general information and VNC stream recording. This window provides in-depth details about the process&#8217;s activities. Since we&#8217;re dealing with a PowerShell command line, we&#8217;re interested in the <strong>Script Tracer<\/strong> tab in the left menu. Click on the <strong>PowerShell<\/strong> tab to open the respective Tracer.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"567\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/5-min-1024x567.png\" alt=\"\" class=\"wp-image-7665\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/5-min-1024x567.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/5-min-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/5-min-768x425.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/5-min-1536x850.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/5-min-2048x1134.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/5-min-370x205.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/5-min-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/5-min-740x410.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>In the PowerShell Tracer tab, let\u2019s look at process with <strong>ID 6104 <\/strong>(above)<strong>.<\/strong> We see the functions displayed sequentially, from top to bottom. Let&#8217;s break down what&#8217;s happening in this task.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"342\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/6-3-1024x342.png\" alt=\"\" class=\"wp-image-7666\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/6-3-1024x342.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/6-3-300x100.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/6-3-768x256.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/6-3-1536x512.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/6-3-2048x683.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/6-3-370x123.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/6-3-270x90.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/6-3-1500x500.png 1500w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/6-3-740x247.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>1. <strong>DownloadDataFromLinks System.Object[] <\/strong>function downloads data from provided links. It takes a URL as input and downloads data from it.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"56\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/7-4-1024x56.png\" alt=\"\" class=\"wp-image-7667\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/7-4-1024x56.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/7-4-300x16.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/7-4-768x42.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/7-4-370x20.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/7-4-270x15.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/7-4-740x41.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/7-4.png 1422w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>2. <strong>DownloadData(System.String)<\/strong> method is part of the <strong>System.Net.WebClient<\/strong> class (above) which takes a single string parameter, which is the URI from which to download data.&nbsp;<\/p>\n\n\n\n<p>3. Tracing the execution further down, the decoded binary data is then passed to <strong>System.Text.UnicodeEncoding.GetString<\/strong>. UTF8Encoding provides a method called GetString(byte[]) which is used to convert an array of bytes into a string.&nbsp;This function converts the binary data into a Unicode string, which ends up being our actual PowerShell command:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"513\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/8-2-1024x513.png\" alt=\"\" class=\"wp-image-7668\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/8-2-1024x513.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/8-2-300x150.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/8-2-768x384.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/8-2-1536x769.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/8-2-370x185.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/8-2-270x135.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/8-2-740x370.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/8-2.png 1866w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>4. The next step is for the extracted data to be decoded from base64 using the <strong>FromBase64String(System.String) method<\/strong>, which is used to decode a string formatted in Base64 back into an array of bytes. Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string format (screenshot below). Here, we can also see two flags, <strong>&lt;&lt;BASE64_START&gt;&gt;<\/strong> and <strong>&lt;&lt;BASE64_END&gt;&gt;, <\/strong>which will be used to extract the payload from the downloaded image.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"449\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/9-2-1024x449.png\" alt=\"\" class=\"wp-image-7669\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/9-2-1024x449.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/9-2-300x131.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/9-2-768x336.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/9-2-1536x673.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/9-2-2048x897.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/9-2-370x162.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/9-2-270x118.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/9-2-740x324.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>And in our case the decoded file is an executable, which we can understand from the MZ signature in the tracer. In other words, this is the payload itself.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"42\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/10-3-1024x42.png\" alt=\"\" class=\"wp-image-7670\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/10-3-1024x42.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/10-3-300x12.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/10-3-768x32.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/10-3-1536x64.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/10-3-2048x85.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/10-3-370x15.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/10-3-270x11.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/10-3-740x31.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>Back to the parent process with <strong>ID 32,<\/strong> if we scroll all the way down, we\u2019ll see a PowerShell command (above). We can click on the <strong>Info <\/strong>button to get a better view of these instructions.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"566\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/11-min-1024x566.png\" alt=\"\" class=\"wp-image-7671\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/11-min-1024x566.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/11-min-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/11-min-768x424.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/11-min-1536x848.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/11-min-2048x1131.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/11-min-370x204.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/11-min-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/04\/11-min-740x409.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Here, you can see the unobfuscated PowerShell command. By clicking on the <strong>Text <\/strong>button in the top-right corner of the window, you can maximize the text view. Let&#8217;s break down some suspicious aspects of the code:&nbsp;<\/p>\n\n\n\n<ol class=\"wp-block-list\" start=\"1\">\n<li><strong>powershell.exe -windowstyle hidden -executionpolicy bypass \u2013Noprofile<\/strong>. Launches PowerShell with the window hidden, bypasses the execution policy to ensure the code runs, and avoids loading the user profile, possibly to speed up execution and avoid conflicts.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol class=\"wp-block-list\" start=\"2\">\n<li><strong>$links = @(&#8216;https:\/\/&#8230;&#8217;, &#8216;https:\/\/&#8230;&#8217;)<\/strong> and <strong>$imageBytes = DownloadDataFromLinks $links. Downlaods. <\/strong>Defines an array of links, notably containing paths to images in the URLs, and calls the DownloadDataFromLinks function to retrieve data from those specified image URLs.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol class=\"wp-block-list\" start=\"3\">\n<li><strong>$base64Command = $imageText.Substring($startIndex, $base64Length). <\/strong>Extracts a Base64-encoded command hidden within the downloaded image data, which is very unlikely behavior for a legitimate program because images don&#8217;t randomly contain Base64-encoded information. <strong>Flags&nbsp;&lt;&lt;BASE64_START&gt;&gt; and &lt;&lt;BASE64_END&gt;&gt;&nbsp;define the start and end of the executable file that is extracted from the image<\/strong>.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol class=\"wp-block-list\" start=\"4\">\n<li><strong>$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes). <\/strong>Loads the extracted Base64-encoded command as a .NET assembly and executes it from memory to avoid file-based detection.&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>In summary, we can clearly see that the nature of this script is malicious. We can also extract the following URLs from the script:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>https:\/\/uploaddeimagens[.]com.br\/images\/004\/766\/978\/full\/new_image_vbs.jpg?1712588469&nbsp;<\/li>\n\n\n\n<li>https:\/\/uploaddeimagens[.]com.br\/images\/004\/766\/979\/original\/new_image_vbs.jpg?1712588500&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Then, we can use these IOCs to further search if connections to them were made in our logs or set up our WAF to block requests to these malicious URLs.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nEasily analyze PowerShell and other malicious scripts <br>in <span class=\"highlight\">ANY.RUN<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=powershell_tracer&#038;utm_term=180424&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nGet started free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN is a trusted partner for more than 400,000 cybersecurity professionals around the world. Our interactive sandbox simplifies malware analysis of threats targeting both Windows and Linux systems, providing analysts with an advanced tool for investigations. Our threat intelligence products, Lookup and Feeds, offer refined indicators of compromise and context that lets users detect threats and respond to incidents faster.&nbsp;&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Advantages of ANY.RUN&nbsp;&nbsp;<\/h3>\n\n\n\n<p>ANY.RUN helps you analyze threats faster while improving detection rates. The platform detects common malware families with YARA and Suricata rules and identifies malware behavior with signatures when detection by family is not possible.&nbsp;<\/p>\n\n\n\n<p>With ANY.RUN you can:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Detect malware in under 40s<\/strong>: ANY.RUN detects malware within about 40 seconds of a file upload. It identifies prevalent malware families using YARA and Suricata rules and uses behavioral signatures to detect malicious actions when you encounter a new threat.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Interact with samples in real time<\/strong>: ANY.RUN is an interactive cloud sandbox powered by VNC, which means that you can do everything you could on a real system: browse webpages, click through installers, open password-protected archives.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Save time and money on sandbox setup and maintenance<\/strong>: ANY.RUN\u2019s cloud-based nature eliminates the need for setup or maintenance by your DevOps team, making it a cost-effective solution for businesses.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Record and study all aspects of malware behavior<\/strong>: ANY.RUN provides a detailed analysis of malware behavior, including network traffic, system calls, and file system changes.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Collaborate with your team<\/strong>: easily share analysis results, or, as a senior team member, check work of junior analysts by viewing recordings of their analysis sessions.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Scale as you need<\/strong>: as a cloud service, you can easily scale your team, simply by adding more licenses.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Get in touch with us and we&#8217;ll provide you with a guided tour of ANY.RUN and show you how it can help your security team.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/contact-us\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=powershell_tracer&amp;utm_term=180424&amp;utm_content=linktocontactus\/\" target=\"_blank\" rel=\"noreferrer noopener\">Contact us \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>PowerShell scripts are, in some way, present in a lot of malware attacks. Now you can analyze them in ANY.RUN.&nbsp; PowerShell is a command-line shell and scripting language used by system administrators to automate system tasks and set up CI\/CD processes. However, hackers often use it to perform a variety of malicious actions, such as:&nbsp; [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":7674,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[57,10,34,55],"class_list":["post-7658","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-service-updates","tag-anyrun","tag-cybersecurity","tag-malware-analysis","tag-release"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>New PowerShell Script Tracer: Analyze PowerShell Execution - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"See how you can analyze malicious PowerShell scripts in the ANY.RUN sandbox and explore their entire execution step by step.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/powershell-script-tracer\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jack Zalesskiy\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/powershell-script-tracer\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/powershell-script-tracer\/\"},\"author\":{\"name\":\"Jack Zalesskiy\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"New PowerShell Script Tracer: Analyze PowerShell Execution\",\"datePublished\":\"2024-04-18T11:03:01+00:00\",\"dateModified\":\"2024-04-18T11:03:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/powershell-script-tracer\/\"},\"wordCount\":1665,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\",\"release\"],\"articleSection\":[\"Service Updates\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/powershell-script-tracer\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/powershell-script-tracer\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/powershell-script-tracer\/\",\"name\":\"New PowerShell Script Tracer: Analyze PowerShell Execution - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-04-18T11:03:01+00:00\",\"dateModified\":\"2024-04-18T11:03:12+00:00\",\"description\":\"See how you can analyze malicious PowerShell scripts in the ANY.RUN sandbox and explore their entire execution step by step.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/powershell-script-tracer\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/powershell-script-tracer\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/powershell-script-tracer\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Service Updates\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/service-updates\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"New PowerShell Script Tracer: Analyze PowerShell Execution\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Jack Zalesskiy\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp\",\"caption\":\"Jack Zalesskiy\"},\"description\":\"Jack Zalesskiy is a technology writer with five years of experience under his belt. He closely follows malware incidents, data breaches, and the way in which cyber threats manifest in our day-to-day lives.\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"New PowerShell Script Tracer: Analyze PowerShell Execution - ANY.RUN&#039;s Cybersecurity Blog","description":"See how you can analyze malicious PowerShell scripts in the ANY.RUN sandbox and explore their entire execution step by step.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/powershell-script-tracer\/","twitter_misc":{"Written by":"Jack Zalesskiy","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/powershell-script-tracer\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/powershell-script-tracer\/"},"author":{"name":"Jack Zalesskiy","@id":"https:\/\/any.run\/"},"headline":"New PowerShell Script Tracer: Analyze PowerShell Execution","datePublished":"2024-04-18T11:03:01+00:00","dateModified":"2024-04-18T11:03:12+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/powershell-script-tracer\/"},"wordCount":1665,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis","release"],"articleSection":["Service Updates"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/powershell-script-tracer\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/powershell-script-tracer\/","url":"https:\/\/any.run\/cybersecurity-blog\/powershell-script-tracer\/","name":"New PowerShell Script Tracer: Analyze PowerShell Execution - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-04-18T11:03:01+00:00","dateModified":"2024-04-18T11:03:12+00:00","description":"See how you can analyze malicious PowerShell scripts in the ANY.RUN sandbox and explore their entire execution step by step.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/powershell-script-tracer\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/powershell-script-tracer\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/powershell-script-tracer\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Service Updates","item":"https:\/\/any.run\/cybersecurity-blog\/category\/service-updates\/"},{"@type":"ListItem","position":3,"name":"New PowerShell Script Tracer: Analyze PowerShell Execution"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Jack Zalesskiy","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1.webp","caption":"Jack Zalesskiy"},"description":"Jack Zalesskiy is a technology writer with five years of experience under his belt. He closely follows malware incidents, data breaches, and the way in which cyber threats manifest in our day-to-day lives.","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7658"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=7658"}],"version-history":[{"count":2,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7658\/revisions"}],"predecessor-version":[{"id":7675,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7658\/revisions\/7675"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/7674"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=7658"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=7658"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=7658"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}