File name:

1.ps1

Full analysis: https://app.any.run/tasks/95c17d13-0c6a-40d3-9137-14fd01a66325
Verdict: Malicious activity
Analysis date: April 29, 2025, 08:44:23
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-startup
Indicators:
MIME: text/plain
File info: Unicode text, UTF-8 text, with very long lines (8013), with CRLF line terminators
MD5:

3172B0397DE618CB685320FFF809CDB4

SHA1:

AFC162FA5AAB45C52F9909D5E4FECA80E6AE82BA

SHA256:

076FEF0EE03BF6F0259F000043C8E74ED989AD698A3DF3DDA5D7B45567354846

SSDEEP:

192:bA27hyMeXjOo/2OsW/gncfQLnqpqTjSFU+Gat/QmmSUDYmp1p3gze:tkfX6m2OsW/OVLqqjSFU+GapQmmhMmp1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Bypass)

      • powershell.exe (PID: 7376)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7376)
      • powershell.exe (PID: 7880)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7880)

    • Create files in the Startup directory

      • powershell.exe (PID: 7376)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 7376)

  • SUSPICIOUS

    • Creates new GUID (POWERSHELL)

      • powershell.exe (PID: 7376)

    • The process hide an interactive prompt from the user

      • powershell.exe (PID: 7376)

    • The process bypasses the loading of PowerShell profile settings

      • powershell.exe (PID: 7376)

    • Application launched itself

      • powershell.exe (PID: 7376)

    • The process hides Powershell's copyright startup banner

      • powershell.exe (PID: 7376)

    • Gets content of a file (POWERSHELL)

      • powershell.exe (PID: 7376)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 7376)

    • Connects to the server without a host name

      • powershell.exe (PID: 7376)

    • Reverses array data (POWERSHELL)

      • powershell.exe (PID: 7376)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 7376)

    • Retrieves command line args for running process (POWERSHELL)

      • powershell.exe (PID: 7376)

    • The process checks if it is being run in the virtual environment

      • powershell.exe (PID: 7376)

  • INFO

    • Auto-launch of the file from Startup directory

      • powershell.exe (PID: 7376)

    • Disables trace logs

      • powershell.exe (PID: 7376)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 7376)

    • Checks proxy server information

      • powershell.exe (PID: 7376)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 7376)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 7376)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 7376)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7376)

    • Reads the software policy settings

      • slui.exe (PID: 7532)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 7376)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe powershell.exe no specs conhost.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1164C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7376"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\AppData\Local\Temp\1.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7384\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7492C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7532"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7880"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Beim Öffnen dieses Dokuments ist ein Fehler aufgetreten ! Bitte aktualisieren Sie Ihre Version.', 'Adobe PDF Reader Fehlercode: cx91293', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Exclamation);Exit C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7896\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
11 275
Read events
11 275
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
9
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
7376powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6NR6O39BG83DX6QGOMTL.tempbinary
MD5:4D73A66E221CE4C0226C4E1F401FA194
SHA256:458047D13AE10D6FA38E6FBA33337C6D9BF6A78939C09EB27F9F56BD8D03013D
7880powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0t3w3h0t.yji.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7376powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkbinary
MD5:D3E6449E8F37AC375421F3DE6299DC97
SHA256:DE4896F96EB34C39F2DE251A25377D55ADC5A765ABF79931306933122E149577
7376powershell.exeC:\Users\admin\AppData\Roaming\2.pdfbinary
MD5:6B3CFFA1BC572DD444B852FF99BFCA11
SHA256:59C146AFB3468B86F759AEBC0420A08E60240D7539AE5A96B70DDB50F7AE6457
7880powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:A869B35430B8E68199FEFDBBB43D9CD1
SHA256:EB1ED0FC474EF67FDFE7DF4A8EE19FAE73EDD1CCF7D2969BD4EBD07DAC47A18A
7880powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_szbtv42q.qzn.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7376powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_mrloms0o.vwc.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7376powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10caf3.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
7376powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:4D73A66E221CE4C0226C4E1F401FA194
SHA256:458047D13AE10D6FA38E6FBA33337C6D9BF6A78939C09EB27F9F56BD8D03013D
7376powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2m0luaa2.as0.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
26
DNS requests
17
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.216.77.36:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7376
powershell.exe
GET
200
83.138.53.186:80
http://83.138.53.186/2.pdf
unknown
unknown
7376
powershell.exe
GET
200
45.15.162.16:80
http://45.15.162.16/gigant.txt
unknown
unknown
6404
WmiPrvSE.exe
GET
200
2.16.164.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
6404
WmiPrvSE.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl%20
unknown
whitelisted
5116
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5116
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.216.77.36:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
2112
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.216.77.36
  • 23.216.77.18
  • 23.216.77.21
  • 2.16.164.114
  • 2.16.164.99
  • 2.16.164.43
  • 2.16.164.51
  • 2.16.164.74
  • 2.16.164.9
  • 2.16.164.48
  • 2.16.164.42
  • 2.16.164.66
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 95.101.149.131
  • 2.23.246.101
whitelisted
google.com
  • 216.58.206.46
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.159.68
  • 20.190.159.131
  • 40.126.31.69
  • 20.190.159.4
  • 20.190.159.129
  • 40.126.31.130
  • 40.126.31.3
  • 20.190.159.0
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
7376
powershell.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host PDF Request
7376
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
7376
powershell.exe
Misc activity
ET INFO Request for PDF via PowerShell
No debug info