File name:

2.ps1

Full analysis: https://app.any.run/tasks/cb82fd99-7f04-40ef-be19-cae1ee81d3a3
Verdict: Malicious activity
Analysis date: April 29, 2025, 08:47:44
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
pastebin
auto-startup
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (645), with CRLF line terminators
MD5:

A2EC6857B9B92362EE18F1D9166DCE54

SHA1:

EA7753ACC712661E385FA1007CC12C1569140927

SHA256:

144FBE9CE7785E9604107C0F9B05505EEAAA306394DEF0CEA214954BBCD99BE0

SSDEEP:

24:K8y6cJtNUcPB7CAV7pN0t2DNtJUzlVwr897XJz2azZFHs3akw:U6cx3Z77V7pG2b6ZhXzxZFHGe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6620)
      • powershell.exe (PID: 8084)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 6620)

    • Create files in the Startup directory

      • powershell.exe (PID: 6620)

    • Changes powershell execution policy (Bypass)

      • powershell.exe (PID: 6620)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 8084)

  • SUSPICIOUS

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6620)

    • The process bypasses the loading of PowerShell profile settings

      • powershell.exe (PID: 6620)

    • The process hide an interactive prompt from the user

      • powershell.exe (PID: 6620)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 6620)

    • Starts a new process with hidden mode (POWERSHELL)

      • powershell.exe (PID: 6620)

    • The process hides Powershell's copyright startup banner

      • powershell.exe (PID: 6620)

    • Application launched itself

      • powershell.exe (PID: 6620)

    • Reverses array data (POWERSHELL)

      • powershell.exe (PID: 6620)

    • Connects to the server without a host name

      • powershell.exe (PID: 6620)

    • Creates new GUID (POWERSHELL)

      • powershell.exe (PID: 6620)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 6620)

  • INFO

    • Disables trace logs

      • powershell.exe (PID: 6620)

    • Checks proxy server information

      • powershell.exe (PID: 6620)

    • Auto-launch of the file from Startup directory

      • powershell.exe (PID: 6620)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 6620)

    • Remote server returned an error (POWERSHELL)

      • powershell.exe (PID: 6620)

    • Reads the software policy settings

      • slui.exe (PID: 7320)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6620)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6620)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 6620)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe powershell.exe no specs conhost.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1276\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2236C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6620"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\AppData\Local\Temp\2.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7288C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7320"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
8084"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Beim Öffnen dieses Dokuments ist ein Fehler aufgetreten ! Bitte aktualisieren Sie Ihre Version.', 'Adobe PDF Reader Fehlercode: cx91293', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Exclamation);Exit C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
8092\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
11 068
Read events
11 068
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
7
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
6620powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10d67c.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
6620powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JXG0AVZTDBDJFJYTLVB8.tempbinary
MD5:1AB09CAB68F35579C8F9177C0A751AE4
SHA256:ED6CFDAD79896BA60A16433A72E776F6BF5D5F8C07DD94A3C4E48679D788D18E
8084powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3Z2FWYB8YWER3ELUNBWM.tempbinary
MD5:99946BD63CBF32CF96DBF18494290236
SHA256:4EF25E772666C0C9C20D9B2E188C0E6B24F4F636D7A61681BBAD6122FF29E110
8084powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF112c8b.TMPbinary
MD5:1AB09CAB68F35579C8F9177C0A751AE4
SHA256:ED6CFDAD79896BA60A16433A72E776F6BF5D5F8C07DD94A3C4E48679D788D18E
6620powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hdgoyukt.zzt.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8084powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:99946BD63CBF32CF96DBF18494290236
SHA256:4EF25E772666C0C9C20D9B2E188C0E6B24F4F636D7A61681BBAD6122FF29E110
6620powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:1AB09CAB68F35579C8F9177C0A751AE4
SHA256:ED6CFDAD79896BA60A16433A72E776F6BF5D5F8C07DD94A3C4E48679D788D18E
8084powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1udpxm3w.3sn.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6620powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_a0tetqzl.vwj.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6620powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnkbinary
MD5:DE5D52458DBE4265D7790540890F7D70
SHA256:6478EAF3AB2D039D7D288328CC7E50D4E8FB0227B9603036406524728E4696A0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
24
DNS requests
17
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.23:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7960
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6620
powershell.exe
GET
200
45.15.162.16:80
http://45.15.162.16/octopus.txt
unknown
unknown
7960
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.23:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
1196
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 23.216.77.23
  • 23.216.77.10
  • 23.216.77.21
  • 23.216.77.18
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.64
  • 40.126.32.138
  • 20.190.160.131
  • 20.190.160.128
  • 40.126.32.134
  • 40.126.32.140
  • 20.190.160.66
  • 40.126.32.74
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
pastebin.com
  • 104.22.68.199
  • 104.22.69.199
  • 172.67.25.94
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
No debug info