File name:

Payload.ps1

Full analysis: https://app.any.run/tasks/9fb01320-23f7-44ed-a0c1-4598247b4cdf
Verdict: Malicious activity
Analysis date: December 25, 2024, 19:21:45
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
susp-powershell
Indicators:
MIME: text/plain
File info: Unicode text, UTF-8 text, with very long lines (14657), with CRLF, LF line terminators
MD5:

5F7381B5473F8C55B2806C49E96397AD

SHA1:

BE451AF88636069AE8E49B2ADBE7D0CF586BD2BB

SHA256:

034C4BAE990CB1B270C8EA0C213F5872A7B04252023D37815D039BB253CE45E5

SSDEEP:

3072:EUJ7OjadEwiQdOubn4bqA0UQFUn5i3G7aDNC4gdKkp7YiXkPdIZ+4x9:EUJ74AaE49kWi3GGNC4g7YiN9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6284)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 6284)

  • SUSPICIOUS

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6284)

    • Changes AMSI initialization state that disables detection systems (POWERSHELL)

      • powershell.exe (PID: 6284)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 6284)

  • INFO

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • powershell.exe (PID: 6284)

    • Found Base64 encoded access to Regex class via PowerShell (YARA)

      • powershell.exe (PID: 6284)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6284)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6284"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\Payload.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6292\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
6 190
Read events
6 190
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
6284powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF135ff6.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
6284powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_uwwioamk.ypm.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6284powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MEMQWK7BK48EGEF3Y68G.tempbinary
MD5:BB146A95AB154C9E7B5A498179A87F8F
SHA256:E06101661AA82421758F4214E0B417FAA18E4F9E17E928E85D9B2D1B78E84702
6284powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pkvupgdu.xa5.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6284powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:BB146A95AB154C9E7B5A498179A87F8F
SHA256:E06101661AA82421758F4214E0B417FAA18E4F9E17E928E85D9B2D1B78E84702
6284powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3fcm3els.tea.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6284powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0gxlcbao.k2m.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6284powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:3F95A05381C6D14195F6A1538F5FBADE
SHA256:0E753E9AD3EDE811C17D076B462F85321B8F559C2E462AF0990A1653573A525F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
17
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2124
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
3560
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
2124
RUXIMICS.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
3560
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
3560
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2124
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3560
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2124
RUXIMICS.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3560
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 20.189.173.26
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Payload.ps1