File name:

malware.ps1.ps1

Full analysis: https://app.any.run/tasks/f767d465-0e0b-4a9c-bb9f-908a6258363d
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 06, 2025, 03:22:26
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
telegram
vidar
stealer
stealc
auto-sch
Indicators:
MIME: text/plain
File info: ASCII text, with no line terminators
MD5:

05B76E26F27349147DEC3BD9EC4180AB

SHA1:

2F14C2EF4EAED8DAE4F1E29E50922F051B7CACA4

SHA256:

1F47A61E18C1565B52AEF072B4170886AB4996D42D2E354B05DFEDF31DF3DA35

SSDEEP:

3:BHN8VIKWK2Gj:RN8VNjj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 6720)
      • powershell.exe (PID: 7052)
      • powershell.exe (PID: 5560)
      • powershell.exe (PID: 6352)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6720)
      • powershell.exe (PID: 7052)
      • powershell.exe (PID: 5560)
      • powershell.exe (PID: 6352)

    • VIDAR mutex has been found

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)
      • MSBuild.exe (PID: 5772)
      • MSBuild.exe (PID: 4052)

    • Uses Task Scheduler to autorun other applications

      • powershell.exe (PID: 6720)
      • powershell.exe (PID: 5560)
      • powershell.exe (PID: 6352)

    • Actions looks like stealing of personal data

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)

    • Steals credentials from Web Browsers

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)

    • VIDAR has been detected (YARA)

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7052)
      • powershell.exe (PID: 5560)
      • powershell.exe (PID: 6352)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 6460)
      • powershell.exe (PID: 2320)
      • powershell.exe (PID: 6348)
      • powershell.exe (PID: 6652)
      • powershell.exe (PID: 1612)
      • powershell.exe (PID: 1760)
      • powershell.exe (PID: 2064)
      • powershell.exe (PID: 1512)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 6460)
      • powershell.exe (PID: 2320)
      • powershell.exe (PID: 6348)
      • powershell.exe (PID: 6652)
      • powershell.exe (PID: 1612)
      • powershell.exe (PID: 1760)
      • powershell.exe (PID: 2064)
      • powershell.exe (PID: 1512)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 6460)
      • powershell.exe (PID: 2320)
      • powershell.exe (PID: 6348)
      • powershell.exe (PID: 6652)
      • powershell.exe (PID: 1612)
      • powershell.exe (PID: 1760)
      • powershell.exe (PID: 2064)
      • powershell.exe (PID: 1512)

    • Starts CMD.EXE for self-deleting

      • MSBuild.exe (PID: 1180)

  • SUSPICIOUS

    • Changes AMSI initialization state that disables detection systems (POWERSHELL)

      • powershell.exe (PID: 6720)
      • powershell.exe (PID: 7052)
      • powershell.exe (PID: 5560)
      • powershell.exe (PID: 6352)

    • Creates new GUID (POWERSHELL)

      • powershell.exe (PID: 6720)
      • powershell.exe (PID: 7052)
      • powershell.exe (PID: 5560)
      • powershell.exe (PID: 6352)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 6720)
      • csc.exe (PID: 5556)
      • powershell.exe (PID: 7052)
      • csc.exe (PID: 6296)
      • powershell.exe (PID: 5560)
      • csc.exe (PID: 3100)
      • csc.exe (PID: 2220)
      • csc.exe (PID: 5008)
      • powershell.exe (PID: 6352)
      • csc.exe (PID: 2536)
      • csc.exe (PID: 1028)
      • csc.exe (PID: 6364)
      • csc.exe (PID: 868)

    • Reads security settings of Internet Explorer

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)

    • Searches for installed software

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)

    • BASE64 encoded PowerShell command has been detected

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)

    • There is functionality for taking screenshot (YARA)

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)

    • The process bypasses the loading of PowerShell profile settings

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)

    • Starts POWERSHELL.EXE for commands execution

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)

    • The process hide an interactive prompt from the user

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)

    • Base64-obfuscated command line is found

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 6460)
      • powershell.exe (PID: 2320)
      • powershell.exe (PID: 6348)
      • powershell.exe (PID: 6652)
      • powershell.exe (PID: 1612)
      • powershell.exe (PID: 1760)
      • powershell.exe (PID: 2064)
      • powershell.exe (PID: 1512)

    • Gets content of a file (POWERSHELL)

      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 6460)
      • powershell.exe (PID: 2320)
      • powershell.exe (PID: 6348)
      • powershell.exe (PID: 6652)
      • powershell.exe (PID: 1612)
      • powershell.exe (PID: 1760)
      • powershell.exe (PID: 2064)
      • powershell.exe (PID: 1512)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 5556)
      • csc.exe (PID: 6296)
      • csc.exe (PID: 3100)
      • csc.exe (PID: 2220)
      • csc.exe (PID: 5008)
      • csc.exe (PID: 2536)
      • csc.exe (PID: 1028)
      • csc.exe (PID: 6364)
      • csc.exe (PID: 868)

    • Writes data to a memory stream (POWERSHELL)

      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 6460)
      • powershell.exe (PID: 2320)
      • powershell.exe (PID: 6348)
      • powershell.exe (PID: 6652)
      • powershell.exe (PID: 1612)
      • powershell.exe (PID: 1760)
      • powershell.exe (PID: 2064)
      • powershell.exe (PID: 1512)

    • Starts CMD.EXE for commands execution

      • MSBuild.exe (PID: 1180)

    • Multiple wallet extension IDs have been found

      • MSBuild.exe (PID: 1180)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 5548)

    • Deletes system .NET executable

      • cmd.exe (PID: 5548)

  • INFO

    • Checks proxy server information

      • powershell.exe (PID: 6720)
      • MSBuild.exe (PID: 1180)
      • powershell.exe (PID: 7052)
      • MSBuild.exe (PID: 6748)
      • powershell.exe (PID: 5560)
      • powershell.exe (PID: 6352)
      • slui.exe (PID: 6256)

    • Disables trace logs

      • powershell.exe (PID: 6720)
      • powershell.exe (PID: 7052)
      • powershell.exe (PID: 5560)
      • powershell.exe (PID: 6352)

    • The executable file from the user directory is run by the Powershell process

      • f97837f3a395406eb0e64dd1806f7c6a.exe (PID: 4824)

    • Reads the machine GUID from the registry

      • MSBuild.exe (PID: 1180)
      • csc.exe (PID: 5556)
      • MSBuild.exe (PID: 6748)
      • csc.exe (PID: 6296)
      • MSBuild.exe (PID: 5772)
      • csc.exe (PID: 3100)
      • csc.exe (PID: 2220)
      • csc.exe (PID: 5008)
      • csc.exe (PID: 2536)
      • csc.exe (PID: 1028)
      • csc.exe (PID: 6364)
      • csc.exe (PID: 868)

    • Checks supported languages

      • f97837f3a395406eb0e64dd1806f7c6a.exe (PID: 4824)
      • MSBuild.exe (PID: 1180)
      • cvtres.exe (PID: 3000)
      • csc.exe (PID: 5556)
      • 138bdb5fae13487d9639c3fd39e09359.exe (PID: 3572)
      • MSBuild.exe (PID: 6748)
      • csc.exe (PID: 6296)
      • cvtres.exe (PID: 6368)
      • cdf1eed3c0924e24a6c1356328a7d1d6.exe (PID: 1204)
      • MSBuild.exe (PID: 5772)
      • csc.exe (PID: 3100)
      • cvtres.exe (PID: 1520)
      • cvtres.exe (PID: 1068)
      • csc.exe (PID: 2220)
      • db3f2e62d2774c5dbfd1685001d0b423.exe (PID: 1096)
      • cvtres.exe (PID: 3880)
      • csc.exe (PID: 5008)
      • csc.exe (PID: 2536)
      • cvtres.exe (PID: 3108)
      • csc.exe (PID: 1028)
      • cvtres.exe (PID: 4968)
      • csc.exe (PID: 6364)
      • cvtres.exe (PID: 7052)
      • csc.exe (PID: 868)
      • cvtres.exe (PID: 2704)
      • MSBuild.exe (PID: 4052)

    • Reads the computer name

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)
      • MSBuild.exe (PID: 5772)

    • Creates files in the program directory

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)

    • Process checks computer location settings

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)
      • MSBuild.exe (PID: 5772)

    • Reads Environment values

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)
      • MSBuild.exe (PID: 5772)

    • Reads the software policy settings

      • MSBuild.exe (PID: 1180)
      • powershell.exe (PID: 6412)
      • MSBuild.exe (PID: 6748)
      • powershell.exe (PID: 6460)
      • powershell.exe (PID: 2320)
      • powershell.exe (PID: 6348)
      • powershell.exe (PID: 6652)
      • powershell.exe (PID: 1612)
      • slui.exe (PID: 6256)
      • powershell.exe (PID: 1760)
      • powershell.exe (PID: 2064)
      • powershell.exe (PID: 1512)

    • Creates files or folders in the user directory

      • MSBuild.exe (PID: 1180)

    • Reads product name

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)

    • Reads CPU info

      • MSBuild.exe (PID: 1180)
      • MSBuild.exe (PID: 6748)

    • Create files in a temporary directory

      • MSBuild.exe (PID: 1180)
      • powershell.exe (PID: 6412)
      • cvtres.exe (PID: 3000)
      • csc.exe (PID: 5556)
      • MSBuild.exe (PID: 6748)
      • powershell.exe (PID: 1612)
      • cvtres.exe (PID: 3108)
      • powershell.exe (PID: 1760)
      • csc.exe (PID: 1028)
      • cvtres.exe (PID: 4968)
      • powershell.exe (PID: 2064)
      • csc.exe (PID: 6364)
      • cvtres.exe (PID: 7052)
      • csc.exe (PID: 868)
      • cvtres.exe (PID: 2704)

    • Manual execution by a user

      • powershell.exe (PID: 7052)
      • powershell.exe (PID: 5560)
      • powershell.exe (PID: 6352)

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 6460)
      • powershell.exe (PID: 2320)
      • powershell.exe (PID: 6348)
      • powershell.exe (PID: 6652)
      • powershell.exe (PID: 1612)
      • powershell.exe (PID: 1760)
      • powershell.exe (PID: 2064)
      • powershell.exe (PID: 1512)

    • Application launched itself

      • chrome.exe (PID: 1192)
      • msedge.exe (PID: 2192)
      • chrome.exe (PID: 724)
      • chrome.exe (PID: 6648)
      • chrome.exe (PID: 4936)
      • chrome.exe (PID: 2680)
      • chrome.exe (PID: 6200)
      • chrome.exe (PID: 5908)
      • chrome.exe (PID: 2524)
      • chrome.exe (PID: 6128)

    • Creates a byte array (POWERSHELL)

      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 6460)
      • powershell.exe (PID: 2320)
      • powershell.exe (PID: 6348)
      • powershell.exe (PID: 6652)
      • powershell.exe (PID: 1612)
      • powershell.exe (PID: 1760)
      • powershell.exe (PID: 2064)
      • powershell.exe (PID: 1512)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 6460)
      • powershell.exe (PID: 2320)
      • powershell.exe (PID: 6348)
      • powershell.exe (PID: 6652)
      • powershell.exe (PID: 1612)
      • powershell.exe (PID: 1760)
      • powershell.exe (PID: 2064)
      • powershell.exe (PID: 1512)

    • Uses Task Scheduler to autorun other applications (AUTOMATE)

      • powershell.exe (PID: 7052)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
303
Monitored processes
167
Malicious processes
19
Suspicious processes
2

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs f97837f3a395406eb0e64dd1806f7c6a.exe no specs #VIDAR msbuild.exe wermgr.exe no specs wermgr.exe no specs wermgr.exe no specs schtasks.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs 138bdb5fae13487d9639c3fd39e09359.exe no specs #VIDAR msbuild.exe wermgr.exe no specs wermgr.exe no specs wermgr.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs schtasks.exe no specs slui.exe cmd.exe no specs conhost.exe no specs timeout.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs csc.exe chrome.exe no specs chrome.exe no specs cvtres.exe no specs chrome.exe no specs cdf1eed3c0924e24a6c1356328a7d1d6.exe no specs #VIDAR msbuild.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs wermgr.exe no specs wermgr.exe no specs wermgr.exe no specs chrome.exe no specs csc.exe chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs cvtres.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs chrome.exe no specs csc.exe chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs cvtres.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs schtasks.exe no specs powershell.exe conhost.exe no specs db3f2e62d2774c5dbfd1685001d0b423.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs #VIDAR msbuild.exe no specs chrome.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs chrome.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs schtasks.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs chrome.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs chrome.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs chrome.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
632"C:\WINDOWS\system32\wermgr.exe" "-outproc" "0" "1180" "816" "648" "812" "0" "0" "808" "804" "0" "0" "0" "0" C:\Windows\SysWOW64\wermgr.exeMSBuild.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wermgr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
684"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --field-trial-handle=2148,i,8981303407497184450,9107497841575176628,262144 --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=1972 /prefetch:3C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
724"C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe
MSBuild.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
856"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,11986089335175315742,237658450855926053,262144 --variations-seed-version --mojo-platform-channel-handle=3148 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
868"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\r1xsum4y.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
1028"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\5hepwzak.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
1068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESC771.tmp" "c:\Users\admin\AppData\Local\Temp\CSC14D3DED570134151B940303D5EF988A0.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1_clr0400.dll
1096"C:\Users\admin\AppData\Local\db3f2e62d2774c5dbfd1685001d0b423\db3f2e62d2774c5dbfd1685001d0b423.exe" C:\Users\admin\AppData\Local\db3f2e62d2774c5dbfd1685001d0b423\db3f2e62d2774c5dbfd1685001d0b423.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
4294967295
Modules
Images
c:\users\admin\appdata\local\db3f2e62d2774c5dbfd1685001d0b423\db3f2e62d2774c5dbfd1685001d0b423.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1100"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --subproc-heap-profiling --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,6742827381227732256,8089011394470923052,262144 --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=3152 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1132"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3588,i,15762619036253478031,12858342416264643874,262144 --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=3748 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
Total events
129 068
Read events
129 008
Write events
60
Delete events
0

Modification events

(PID) Process:(1180) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1180) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1180) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1192) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(1192) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(1192) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(1192) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(1192) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(2192) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(2192) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
Executable files
20
Suspicious files
147
Text files
344
Unknown types
1

Dropped files

PID
Process
Filename
Type
632wermgr.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_MSBuild.exe_273b3eb24c2e1721c7cb6d651b7ae2269ad4_00000000_9a26c280-0462-4237-9d3b-390afa1599ed\Report.wer
MD5:
SHA256:
4080wermgr.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_MSBuild.exe_81cbcef36c428f9c0d255798cff1ad72ac42989_00000000_e89cd88f-a695-4b44-8de9-419d8087d379\Report.wer
MD5:
SHA256:
4060wermgr.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_MSBuild.exe_266c5ea3bf1f513412e9a9a574c998d622a45d38_00000000_9b436368-3464-4980-8588-7bfbef3d02b2\Report.wer
MD5:
SHA256:
6720powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_m1flluig.fu2.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6720powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF175da0.TMPbinary
MD5:00A03B286E6E0EBFF8D9C492365D5EC2
SHA256:4DBFC417D053BA6867308671F1C61F4DCAFC61F058D4044DB532DA6D3BDE3615
4080wermgr.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER96C1.tmp.WERInternalMetadata.xmlxml
MD5:81B1996D16972F28859D667F59C9EC17
SHA256:DFAE13971533A9EBB3EFE1169D86650A6F0B60434A485F74BE7801B279E8083E
6720powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:3DCBC11A5BC5B708727119AD93999BDF
SHA256:FC3D95B056F3AD899E6553CA989AC5D381319E7C721384D4598885A02DECC1D1
6720powershell.exeC:\Users\admin\AppData\Local\f97837f3a395406eb0e64dd1806f7c6a\f97837f3a395406eb0e64dd1806f7c6a.exeexecutable
MD5:4CC583AB208DE8F98623693EA7AC6F2A
SHA256:9379146AE88F8C3B75DFEF85EBDED90F5DBD8F0B94DBA3F59C14E7AA9DD2A40A
632wermgr.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER9665.tmp.xmlxml
MD5:945BA81875B07E3B9CDD67EDB6424665
SHA256:47F09F7433369ECE70AB9426F5A90156B88F2FC3CF2ECDE2EF479CD0AB40AFCD
4060wermgr.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER975E.tmp.WERInternalMetadata.xmlxml
MD5:ED38D0C9A43C19B168192745E605C417
SHA256:5DD589BD09E07815BA888607A19537809207B372FC5E507A9830F1487631D50D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
223
TCP/UDP connections
271
DNS requests
168
Threats
33

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6004
RUXIMICS.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6004
RUXIMICS.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
91.92.46.234:443
https://pip-install.dev/windows
unknown
text
1.97 Kb
6720
powershell.exe
GET
301
91.92.46.234:80
http://pip-install.dev/windows
unknown
unknown
GET
200
91.92.46.234:443
https://pip-install.dev/crypted.exe
unknown
executable
1.07 Mb
malicious
POST
200
40.126.31.128:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6004
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6004
RUXIMICS.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
  • 2.20.245.139
  • 2.20.245.137
whitelisted
www.microsoft.com
  • 2.23.181.156
  • 95.101.149.131
whitelisted
pip-install.dev
  • 91.92.46.234
malicious
login.live.com
  • 20.190.159.64
  • 40.126.31.69
  • 40.126.31.3
  • 20.190.159.75
  • 40.126.31.1
  • 20.190.159.0
  • 40.126.31.73
  • 20.190.159.128
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.14
whitelisted
t.me
  • 149.154.167.99
whitelisted
b1.a.exifit.ir
  • 91.99.174.2
malicious
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted

Threats

PID
Process
Class
Message
6720
powershell.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 14
6720
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Potentially Bad Traffic
ET HUNTING PowerShell DownloadFile Command Common In Powershell Stagers
Potentially Bad Traffic
ET ATTACK_RESPONSE PowerShell NoProfile Command Received In Powershell Stagers
A Network Trojan was detected
ET HUNTING Download Request Containing Suspicious Filename - Crypted
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
1180
MSBuild.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
A Network Trojan was detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
malware.ps1.ps1