File name:

malware.ps1.ps1

Full analysis: https://app.any.run/tasks/f767d465-0e0b-4a9c-bb9f-908a6258363d
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 06, 2025, 03:22:26
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
telegram
vidar
stealer
stealc
auto-sch
Indicators:
MIME: text/plain
File info: ASCII text, with no line terminators
MD5:

05B76E26F27349147DEC3BD9EC4180AB

SHA1:

2F14C2EF4EAED8DAE4F1E29E50922F051B7CACA4

SHA256:

1F47A61E18C1565B52AEF072B4170886AB4996D42D2E354B05DFEDF31DF3DA35

SSDEEP:

3:BHN8VIKWK2Gj:RN8VNjj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 6720)
      • powershell.exe (PID: 7052)
      • powershell.exe (PID: 5560)
      • powershell.exe (PID: 6352)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6720)
      • powershell.exe (PID: 7052)
      • powershell.exe (PID: 5560)
      • powershell.exe (PID: 6352)

    • VIDAR mutex has been found

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)
      • MSBuild.exe (PID: 5772)
      • MSBuild.exe (PID: 4052)

    • Steals credentials from Web Browsers

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)

    • Actions looks like stealing of personal data

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)

    • Uses Task Scheduler to autorun other applications

      • powershell.exe (PID: 6720)
      • powershell.exe (PID: 5560)
      • powershell.exe (PID: 6352)

    • VIDAR has been detected (YARA)

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7052)
      • powershell.exe (PID: 5560)
      • powershell.exe (PID: 6352)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 6460)
      • powershell.exe (PID: 2320)
      • powershell.exe (PID: 6348)
      • powershell.exe (PID: 6652)
      • powershell.exe (PID: 1612)
      • powershell.exe (PID: 1760)
      • powershell.exe (PID: 2064)
      • powershell.exe (PID: 1512)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 6460)
      • powershell.exe (PID: 2320)
      • powershell.exe (PID: 6348)
      • powershell.exe (PID: 6652)
      • powershell.exe (PID: 1612)
      • powershell.exe (PID: 1760)
      • powershell.exe (PID: 2064)
      • powershell.exe (PID: 1512)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 6460)
      • powershell.exe (PID: 6348)
      • powershell.exe (PID: 6652)
      • powershell.exe (PID: 1612)
      • powershell.exe (PID: 2320)
      • powershell.exe (PID: 1760)
      • powershell.exe (PID: 2064)
      • powershell.exe (PID: 1512)

    • Starts CMD.EXE for self-deleting

      • MSBuild.exe (PID: 1180)

  • SUSPICIOUS

    • Changes AMSI initialization state that disables detection systems (POWERSHELL)

      • powershell.exe (PID: 6720)
      • powershell.exe (PID: 7052)
      • powershell.exe (PID: 5560)
      • powershell.exe (PID: 6352)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 6720)
      • csc.exe (PID: 5556)
      • powershell.exe (PID: 7052)
      • csc.exe (PID: 6296)
      • powershell.exe (PID: 5560)
      • csc.exe (PID: 3100)
      • csc.exe (PID: 2220)
      • powershell.exe (PID: 6352)
      • csc.exe (PID: 5008)
      • csc.exe (PID: 2536)
      • csc.exe (PID: 1028)
      • csc.exe (PID: 6364)
      • csc.exe (PID: 868)

    • Creates new GUID (POWERSHELL)

      • powershell.exe (PID: 6720)
      • powershell.exe (PID: 7052)
      • powershell.exe (PID: 5560)
      • powershell.exe (PID: 6352)

    • Reads security settings of Internet Explorer

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)

    • Searches for installed software

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)

    • Starts POWERSHELL.EXE for commands execution

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)

    • There is functionality for taking screenshot (YARA)

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)

    • BASE64 encoded PowerShell command has been detected

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)

    • Base64-obfuscated command line is found

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)

    • The process bypasses the loading of PowerShell profile settings

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)

    • The process hide an interactive prompt from the user

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)

    • Gets content of a file (POWERSHELL)

      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 6460)
      • powershell.exe (PID: 2320)
      • powershell.exe (PID: 6348)
      • powershell.exe (PID: 6652)
      • powershell.exe (PID: 1612)
      • powershell.exe (PID: 1760)
      • powershell.exe (PID: 2064)
      • powershell.exe (PID: 1512)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 6460)
      • powershell.exe (PID: 2320)
      • powershell.exe (PID: 6348)
      • powershell.exe (PID: 1612)
      • powershell.exe (PID: 6652)
      • powershell.exe (PID: 1760)
      • powershell.exe (PID: 2064)
      • powershell.exe (PID: 1512)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 5556)
      • csc.exe (PID: 6296)
      • csc.exe (PID: 3100)
      • csc.exe (PID: 2220)
      • csc.exe (PID: 2536)
      • csc.exe (PID: 1028)
      • csc.exe (PID: 6364)
      • csc.exe (PID: 868)
      • csc.exe (PID: 5008)

    • Writes data to a memory stream (POWERSHELL)

      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 6460)
      • powershell.exe (PID: 2320)
      • powershell.exe (PID: 6348)
      • powershell.exe (PID: 6652)
      • powershell.exe (PID: 1612)
      • powershell.exe (PID: 1760)
      • powershell.exe (PID: 2064)
      • powershell.exe (PID: 1512)

    • Starts CMD.EXE for commands execution

      • MSBuild.exe (PID: 1180)

    • Multiple wallet extension IDs have been found

      • MSBuild.exe (PID: 1180)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 5548)

    • Deletes system .NET executable

      • cmd.exe (PID: 5548)

  • INFO

    • Checks proxy server information

      • powershell.exe (PID: 6720)
      • MSBuild.exe (PID: 1180)
      • powershell.exe (PID: 7052)
      • MSBuild.exe (PID: 6748)
      • powershell.exe (PID: 5560)
      • powershell.exe (PID: 6352)
      • slui.exe (PID: 6256)

    • The executable file from the user directory is run by the Powershell process

      • f97837f3a395406eb0e64dd1806f7c6a.exe (PID: 4824)

    • Disables trace logs

      • powershell.exe (PID: 6720)
      • powershell.exe (PID: 7052)
      • powershell.exe (PID: 5560)
      • powershell.exe (PID: 6352)

    • Checks supported languages

      • f97837f3a395406eb0e64dd1806f7c6a.exe (PID: 4824)
      • MSBuild.exe (PID: 1180)
      • cvtres.exe (PID: 3000)
      • csc.exe (PID: 5556)
      • 138bdb5fae13487d9639c3fd39e09359.exe (PID: 3572)
      • MSBuild.exe (PID: 6748)
      • csc.exe (PID: 6296)
      • cvtres.exe (PID: 6368)
      • cdf1eed3c0924e24a6c1356328a7d1d6.exe (PID: 1204)
      • MSBuild.exe (PID: 5772)
      • csc.exe (PID: 3100)
      • cvtres.exe (PID: 1520)
      • cvtres.exe (PID: 1068)
      • csc.exe (PID: 2220)
      • db3f2e62d2774c5dbfd1685001d0b423.exe (PID: 1096)
      • csc.exe (PID: 5008)
      • cvtres.exe (PID: 3880)
      • MSBuild.exe (PID: 4052)
      • csc.exe (PID: 2536)
      • cvtres.exe (PID: 3108)
      • csc.exe (PID: 1028)
      • cvtres.exe (PID: 4968)
      • csc.exe (PID: 6364)
      • cvtres.exe (PID: 7052)
      • csc.exe (PID: 868)
      • cvtres.exe (PID: 2704)

    • Reads the machine GUID from the registry

      • MSBuild.exe (PID: 1180)
      • csc.exe (PID: 5556)
      • MSBuild.exe (PID: 6748)
      • csc.exe (PID: 6296)
      • MSBuild.exe (PID: 5772)
      • csc.exe (PID: 3100)
      • csc.exe (PID: 2220)
      • csc.exe (PID: 5008)
      • csc.exe (PID: 2536)
      • csc.exe (PID: 1028)
      • csc.exe (PID: 6364)
      • csc.exe (PID: 868)

    • Reads the computer name

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)
      • MSBuild.exe (PID: 5772)

    • Creates files in the program directory

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)

    • Reads Environment values

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)
      • MSBuild.exe (PID: 5772)

    • Process checks computer location settings

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)
      • MSBuild.exe (PID: 5772)

    • Reads the software policy settings

      • MSBuild.exe (PID: 1180)
      • powershell.exe (PID: 6412)
      • MSBuild.exe (PID: 6748)
      • powershell.exe (PID: 6460)
      • powershell.exe (PID: 2320)
      • powershell.exe (PID: 6348)
      • powershell.exe (PID: 6652)
      • slui.exe (PID: 6256)
      • powershell.exe (PID: 1612)
      • powershell.exe (PID: 1760)
      • powershell.exe (PID: 2064)
      • powershell.exe (PID: 1512)

    • Creates files or folders in the user directory

      • MSBuild.exe (PID: 1180)

    • Reads product name

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)

    • Reads CPU info

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)

    • Create files in a temporary directory

      • MSBuild.exe (PID: 1180)
      • powershell.exe (PID: 6412)
      • csc.exe (PID: 5556)
      • cvtres.exe (PID: 3000)
      • MSBuild.exe (PID: 6748)
      • powershell.exe (PID: 1612)
      • cvtres.exe (PID: 3108)
      • powershell.exe (PID: 1760)
      • csc.exe (PID: 1028)
      • cvtres.exe (PID: 4968)
      • csc.exe (PID: 6364)
      • cvtres.exe (PID: 7052)
      • powershell.exe (PID: 2064)
      • cvtres.exe (PID: 2704)
      • csc.exe (PID: 868)

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 6460)
      • powershell.exe (PID: 2320)
      • powershell.exe (PID: 6348)
      • powershell.exe (PID: 6652)
      • powershell.exe (PID: 1612)
      • powershell.exe (PID: 1760)
      • powershell.exe (PID: 2064)
      • powershell.exe (PID: 1512)

    • Manual execution by a user

      • powershell.exe (PID: 7052)
      • powershell.exe (PID: 5560)
      • powershell.exe (PID: 6352)

    • Creates a byte array (POWERSHELL)

      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 6460)
      • powershell.exe (PID: 2320)
      • powershell.exe (PID: 6348)
      • powershell.exe (PID: 1612)
      • powershell.exe (PID: 1760)
      • powershell.exe (PID: 2064)
      • powershell.exe (PID: 1512)
      • powershell.exe (PID: 6652)

    • Application launched itself

      • chrome.exe (PID: 1192)
      • msedge.exe (PID: 2192)
      • chrome.exe (PID: 724)
      • chrome.exe (PID: 6648)
      • chrome.exe (PID: 4936)
      • chrome.exe (PID: 2680)
      • chrome.exe (PID: 6200)
      • chrome.exe (PID: 5908)
      • chrome.exe (PID: 2524)
      • chrome.exe (PID: 6128)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 6460)
      • powershell.exe (PID: 2320)
      • powershell.exe (PID: 6348)
      • powershell.exe (PID: 6652)
      • powershell.exe (PID: 1612)
      • powershell.exe (PID: 1760)
      • powershell.exe (PID: 2064)
      • powershell.exe (PID: 1512)

    • Uses Task Scheduler to autorun other applications (AUTOMATE)

      • powershell.exe (PID: 7052)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
303
Monitored processes
167
Malicious processes
19
Suspicious processes
2

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs f97837f3a395406eb0e64dd1806f7c6a.exe no specs #VIDAR msbuild.exe wermgr.exe no specs wermgr.exe no specs wermgr.exe no specs schtasks.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs 138bdb5fae13487d9639c3fd39e09359.exe no specs #VIDAR msbuild.exe wermgr.exe no specs wermgr.exe no specs wermgr.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs schtasks.exe no specs slui.exe cmd.exe no specs conhost.exe no specs timeout.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs csc.exe chrome.exe no specs chrome.exe no specs cvtres.exe no specs chrome.exe no specs cdf1eed3c0924e24a6c1356328a7d1d6.exe no specs #VIDAR msbuild.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs wermgr.exe no specs wermgr.exe no specs wermgr.exe no specs chrome.exe no specs csc.exe chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs cvtres.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs chrome.exe no specs csc.exe chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs cvtres.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs schtasks.exe no specs powershell.exe conhost.exe no specs db3f2e62d2774c5dbfd1685001d0b423.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs #VIDAR msbuild.exe no specs chrome.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs chrome.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs schtasks.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs chrome.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs chrome.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs chrome.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
632"C:\WINDOWS\system32\wermgr.exe" "-outproc" "0" "1180" "816" "648" "812" "0" "0" "808" "804" "0" "0" "0" "0" C:\Windows\SysWOW64\wermgr.exeMSBuild.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wermgr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
684"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --field-trial-handle=2148,i,8981303407497184450,9107497841575176628,262144 --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=1972 /prefetch:3C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
724"C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe
MSBuild.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
856"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,11986089335175315742,237658450855926053,262144 --variations-seed-version --mojo-platform-channel-handle=3148 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
868"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\r1xsum4y.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
1028"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\5hepwzak.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
1068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESC771.tmp" "c:\Users\admin\AppData\Local\Temp\CSC14D3DED570134151B940303D5EF988A0.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1_clr0400.dll
1096"C:\Users\admin\AppData\Local\db3f2e62d2774c5dbfd1685001d0b423\db3f2e62d2774c5dbfd1685001d0b423.exe" C:\Users\admin\AppData\Local\db3f2e62d2774c5dbfd1685001d0b423\db3f2e62d2774c5dbfd1685001d0b423.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
4294967295
Modules
Images
c:\users\admin\appdata\local\db3f2e62d2774c5dbfd1685001d0b423\db3f2e62d2774c5dbfd1685001d0b423.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1100"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --subproc-heap-profiling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,6742827381227732256,8089011394470923052,262144 --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=3152 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1132"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3588,i,15762619036253478031,12858342416264643874,262144 --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=3748 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
Total events
129 068
Read events
129 008
Write events
60
Delete events
0

Modification events

(PID) Process:(1180) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1180) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1180) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1192) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(1192) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(1192) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(1192) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(1192) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(2192) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(2192) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
Executable files
20
Suspicious files
147
Text files
344
Unknown types
1

Dropped files

PID
Process
Filename
Type
632wermgr.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_MSBuild.exe_273b3eb24c2e1721c7cb6d651b7ae2269ad4_00000000_9a26c280-0462-4237-9d3b-390afa1599ed\Report.wer
MD5:
SHA256:
4080wermgr.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_MSBuild.exe_81cbcef36c428f9c0d255798cff1ad72ac42989_00000000_e89cd88f-a695-4b44-8de9-419d8087d379\Report.wer
MD5:
SHA256:
4060wermgr.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_MSBuild.exe_266c5ea3bf1f513412e9a9a574c998d622a45d38_00000000_9b436368-3464-4980-8588-7bfbef3d02b2\Report.wer
MD5:
SHA256:
1180MSBuild.exeC:\Users\admin\AppData\Local\Temp\tmpB815.tmptext
MD5:EE196FD5FEB6B017724CA88D0838DF85
SHA256:1A43C4C4CAC480E7D553314F1104F2DCFAB200098E851FA1BC2A238020C5E8D1
4080wermgr.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER96C1.tmp.WERInternalMetadata.xmlxml
MD5:81B1996D16972F28859D667F59C9EC17
SHA256:DFAE13971533A9EBB3EFE1169D86650A6F0B60434A485F74BE7801B279E8083E
632wermgr.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER9644.tmp.WERInternalMetadata.xmlxml
MD5:006C349D013477BF558A14314216A766
SHA256:E19382DC92791099FA9E26B4F5F27A5BF94356DB34DAA6386660940818600A2F
1180MSBuild.exeC:\ProgramData\tr9r1\ln7qqqtext
MD5:2FD670934FEF0C60E2119BD874AAF470
SHA256:771A7C83CA015BDBC6AB86A7BD9B1D54E40062E28942D311A9178A0FE6433CF2
6412powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gbl25xnt.qlf.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4080wermgr.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER96E2.tmp.xmlxml
MD5:DBB5E8FF9031A520EC1386618DA8C98E
SHA256:E4BA2DA6F1C041EE5D402C1E7A2D8033BF627532FE9C74ACF2B409CDC5253128
6412powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hpvddeii.224.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
223
TCP/UDP connections
271
DNS requests
168
Threats
33

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6004
RUXIMICS.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6004
RUXIMICS.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
91.92.46.234:443
https://pip-install.dev/windows
unknown
text
1.97 Kb
6720
powershell.exe
GET
301
91.92.46.234:80
http://pip-install.dev/windows
unknown
GET
200
91.92.46.234:443
https://pip-install.dev/crypted.exe
unknown
executable
1.07 Mb
malicious
POST
200
40.126.31.128:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6004
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6004
RUXIMICS.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
  • 2.20.245.139
  • 2.20.245.137
whitelisted
www.microsoft.com
  • 2.23.181.156
  • 95.101.149.131
whitelisted
pip-install.dev
  • 91.92.46.234
malicious
login.live.com
  • 20.190.159.64
  • 40.126.31.69
  • 40.126.31.3
  • 20.190.159.75
  • 40.126.31.1
  • 20.190.159.0
  • 40.126.31.73
  • 20.190.159.128
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.14
whitelisted
t.me
  • 149.154.167.99
whitelisted
b1.a.exifit.ir
  • 91.99.174.2
malicious
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted

Threats

PID
Process
Class
Message
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 14
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Potentially Bad Traffic
ET HUNTING PowerShell DownloadFile Command Common In Powershell Stagers
Potentially Bad Traffic
ET ATTACK_RESPONSE PowerShell NoProfile Command Received In Powershell Stagers
A Network Trojan was detected
ET HUNTING Download Request Containing Suspicious Filename - Crypted
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
A Network Trojan was detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
malware.ps1.ps1