File name:

newILY.ps1

Full analysis: https://app.any.run/tasks/85c0c25d-e73c-460b-abbc-3b38e7a4d0b4
Verdict: Malicious activity
Analysis date: September 30, 2024, 23:03:50
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
susp-powershell
wmi-base64
maldoc
qrcode
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (7460), with CRLF line terminators
MD5:

FF4627D5247A84643BE462EA8AB64FEF

SHA1:

0002757ED5D8DB1422F18CA35D6D1702C3C6149A

SHA256:

094DD036E6DA7A8D04943DD1EFEA9A48A7730FF61E8FB1E22FE4950BBFB4CD76

SSDEEP:

192:d9QJ6LH6vI2MMgucnCU+PcEE/5AR3XumFaMay:DQJ6LH6w2MVrycEE/uR3+mF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6684)

    • Drops known malicious image

      • powershell.exe (PID: 6684)

  • SUSPICIOUS

    • Connects to unusual port

      • powershell.exe (PID: 6684)

    • Uses NLTEST.EXE to test domain trust

      • powershell.exe (PID: 6684)

    • Uses WMIC.EXE to obtain Windows Installer data

      • powershell.exe (PID: 6684)

    • Group Policy Discovery via Microsoft GPResult Utility

      • powershell.exe (PID: 6684)

    • Starts application with an unusual extension

      • powershell.exe (PID: 6684)

    • Likely accesses (executes) a file from the Public directory

      • WinSCP.com (PID: 5916)
      • WinSCP.exe (PID: 5584)
      • notepad.exe (PID: 3688)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 6684)

    • Connects to SSH

      • WinSCP.exe (PID: 5584)

  • INFO

    • Found Base64 encoded reference to AntiVirus WMI classes (YARA)

      • powershell.exe (PID: 6684)

    • Found Base64 encoded reference to WMI classes (YARA)

      • powershell.exe (PID: 6684)

    • Found Base64 encoded network access via PowerShell (YARA)

      • powershell.exe (PID: 6684)

    • Found Base64 encoded access to processes via PowerShell (YARA)

      • powershell.exe (PID: 6684)

    • Manual execution by a user

      • notepad.exe (PID: 3688)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
8
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT powershell.exe conhost.exe no specs nltest.exe no specs wmic.exe no specs gpresult.exe no specs winscp.com no specs winscp.exe notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2620"C:\WINDOWS\system32\nltest.exe" /dsgetdc:DESKTOP-JGLLJLDC:\Windows\System32\nltest.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Logon Server Test Utility
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\nltest.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\logoncli.dll
3444"C:\WINDOWS\system32\gpresult.exe" /rC:\Windows\System32\gpresult.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Query Group Policy RSOP Data
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\gpresult.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\combase.dll
3688"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\Public\HelpDesk-Tools\maintenanceScript.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
5164"C:\WINDOWS\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\SecurityCenter2 PATH AntiVirusProduct GET /valueC:\Windows\System32\wbem\WMIC.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
5584"C:\Users\Public\HelpDesk-Tools\WinSCP.exe" /console=5.15.3 /consoleinstance=_5916_558 "/script=C:\Users\Public\HelpDesk-Tools\maintenanceScript.txt" C:\Users\Public\HelpDesk-Tools\WinSCP.exe
WinSCP.com
User:
admin
Company:
Martin Prikryl
Integrity Level:
MEDIUM
Description:
WinSCP: SFTP, FTP, WebDAV, S3 and SCP client
Version:
5.15.3.9730
Modules
Images
c:\users\public\helpdesk-tools\winscp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
5916"C:\Users\Public\HelpDesk-Tools\WinSCP.com" /script="C:\Users\Public\HelpDesk-Tools\maintenanceScript.txt" C:\Users\Public\HelpDesk-Tools\WinSCP.compowershell.exe
User:
admin
Company:
Martin Prikryl
Integrity Level:
MEDIUM
Description:
Console interface for WinSCP
Version:
5.0.1.9730
Modules
Images
c:\users\public\helpdesk-tools\winscp.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6124\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6684"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\AppData\Local\Temp\newILY.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
11 142
Read events
11 142
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
19
Text files
12
Unknown types
0

Dropped files

PID
Process
Filename
Type
6684powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:256214E1C71187EC44672E481EBBDB6B
SHA256:3D50799E7A35DED1D8181FD1AFE0694C1B1DB528BB04D35C3A9CA86A3391DB4D
6684powershell.exeC:\Users\Public\Public Files\username.txttext
MD5:B862A883A1AD2D03F78677F0FA3B532B
SHA256:F77ADB49175BC4312D14ADB711BC540E7CE045BF7C277DBFAC4B9D62CCE37E79
6684powershell.exeC:\Users\Public\Public Files\PivotTable tutorial.xltxdocument
MD5:5A8B01F61A50C4CDA1BD087E3480513E
SHA256:99A31AC6AE3D026660CDA754653C6B4BDF4D0B495F37FBF3512FE45489D70829
6684powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_esx5mbpp.axc.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6684powershell.exeC:\Users\Public\Public Files\localusers.txttext
MD5:A8EA1765F76DD21736ACE3460F60F725
SHA256:7D3C4B6115BA8CB2F378BA19267AB0B6982593EF008AB0BAD1F3BF07B87F6355
6684powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wjisv5vh.yzy.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6684powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF3f53ca.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
6684powershell.exeC:\Users\Public\Public Files\PivotTable tutorial(2).xltxdocument
MD5:3ECC3580E61A7FFDDE237CA70BAD202D
SHA256:91B30C8346A857DA000B129C06F8A0B146FBA13B96E03C3E49E15B7E28223875
6684powershell.exeC:\Users\Public\Public Files\UserProcesses.txttext
MD5:88642C22954A81789640A78AED819E8F
SHA256:368786DBF5B1FFB8D938C0DA1754A79EE11353ECFE6412F61C357F178D3ECA99
6684powershell.exeC:\Users\Public\Public Files\Formula tutorial.xltxdocument
MD5:E45EF81D3BF5156F1A5A7E633B251DC9
SHA256:A244D4CF63BE9041CCA218C6865FE6EAC20667E2AF055B5BE67B31F623A1FCFA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
45
DNS requests
17
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2120
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5664
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1928
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1928
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3972
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
7108
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
4324
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6684
powershell.exe
44.206.187.144:9000
AMAZON-AES
US
unknown
7108
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5664
svchost.exe
20.190.159.23:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
google.com
  • 142.250.184.238
whitelisted
login.live.com
  • 20.190.159.23
  • 20.190.159.68
  • 20.190.159.2
  • 20.190.159.73
  • 40.126.31.69
  • 20.190.159.0
  • 40.126.31.67
  • 20.190.159.64
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 40.115.3.253
  • 40.113.110.67
whitelisted
go.microsoft.com
  • 184.30.17.189
whitelisted
slscr.update.microsoft.com
  • 13.85.23.86
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted

Threats

PID
Process
Class
Message
5584
WinSCP.exe
Attempted Information Leak
ET SCAN Potential SSH Scan OUTBOUND
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
newILY.ps1