File name:

file.ps1

Full analysis: https://app.any.run/tasks/919bf6b0-9476-45ee-ad88-dc6981c2b444
Verdict: Malicious activity
Analysis date: April 29, 2025, 10:18:23
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

47ABE59F50C6D7657E14FBFBB5DB7804

SHA1:

FEB5B306DCF7E16227705A65D3ED60111F59A98B

SHA256:

36C5D4E97E6DC840EDD07B19E0BE0B3D845519667BBDF8E28D78322DF894C9E1

SSDEEP:

48:MoQMTz0jW+1F8J8fDyPkpHHdPQS1uBTwnYSzmqDQHKknsoBVw0Nj/xlnxfS:M3RU8fDJpFxETspDQ0o7wmg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7692)
      • powershell.exe (PID: 664)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 664)

  • SUSPICIOUS

    • Uses SYSTEMINFO.EXE to read the environment

      • powershell.exe (PID: 7692)
      • powershell.exe (PID: 664)

    • Changes AMSI initialization state that disables detection systems (POWERSHELL)

      • powershell.exe (PID: 7692)
      • powershell.exe (PID: 664)

    • Process uses IPCONFIG to discover network configuration

      • powershell.exe (PID: 7692)
      • powershell.exe (PID: 664)

    • Uses NETSH.EXE to obtain data on the network

      • powershell.exe (PID: 7692)
      • powershell.exe (PID: 664)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 7692)
      • powershell.exe (PID: 664)

    • Potential Corporate Privacy Violation

      • powershell.exe (PID: 664)
      • powershell.exe (PID: 7692)

  • INFO

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7692)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7692)
      • powershell.exe (PID: 664)

    • Manual execution by a user

      • powershell.exe (PID: 664)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 7692)
      • powershell.exe (PID: 664)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 7692)
      • powershell.exe (PID: 664)

    • Checks proxy server information

      • powershell.exe (PID: 7692)
      • powershell.exe (PID: 664)
      • slui.exe (PID: 7464)

    • Disables trace logs

      • powershell.exe (PID: 7692)
      • powershell.exe (PID: 664)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 664)

    • Reads the software policy settings

      • slui.exe (PID: 7464)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
15
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs systeminfo.exe no specs powershell.exe conhost.exe no specs tiworker.exe no specs ipconfig.exe no specs netstat.exe no specs systeminfo.exe no specs netsh.exe no specs ipconfig.exe no specs netstat.exe no specs netsh.exe no specs slui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
664powershell -w hidden -ep bypass -f "C:\Users\admin\AppData\Roaming\WindowsUpdate.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
2108C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -EmbeddingC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Exit code:
0
Version:
10.0.19041.3989 (WinBuild.160101.0800)
Modules
Images
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2244"C:\WINDOWS\system32\NETSTAT.EXE" -anoC:\Windows\System32\NETSTAT.EXEpowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Netstat Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netstat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\snmpapi.dll
2320"C:\WINDOWS\system32\netsh.exe" wlan show profilesC:\Windows\System32\netsh.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3240"C:\WINDOWS\system32\ipconfig.exe" /allC:\Windows\System32\ipconfig.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dhcpcsvc6.dll
5216\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6620"C:\WINDOWS\system32\NETSTAT.EXE" -anoC:\Windows\System32\NETSTAT.EXEpowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Netstat Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netstat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\snmpapi.dll
c:\windows\system32\iphlpapi.dll
7048"C:\WINDOWS\system32\netsh.exe" wlan show profilesC:\Windows\System32\netsh.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7148"C:\WINDOWS\system32\systeminfo.exe"C:\Windows\System32\systeminfo.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Displays system information
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\systeminfo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
32 283
Read events
32 277
Write events
6
Delete events
0

Modification events

(PID) Process:(7692) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:SysUpdate
Value:
powershell -w hidden -ep bypass -f "C:\Users\admin\AppData\Roaming\WindowsUpdate.ps1"
(PID) Process:(2108) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31176944
(PID) Process:(2108) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
492025348
(PID) Process:(664) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:SysUpdate
Value:
powershell -w hidden -ep bypass -f "C:\Users\admin\AppData\Roaming\WindowsUpdate.ps1"
(PID) Process:(2108) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
538243688
Executable files
0
Suspicious files
12
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
7692powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:22225C2072D41CF923BB5E38B0B8BF3B
SHA256:6B8A14BFCFCF9E425FCD0A7B0C46CB0333C42BA4B10A1A7DEA0C3EF6F2864E9C
664powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_35jaj20o.bji.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7692powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ptindzlw.fn4.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7692powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_iewrvveu.scv.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7692powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EFYGCOQAYV8O4FXICFMW.tempbinary
MD5:22225C2072D41CF923BB5E38B0B8BF3B
SHA256:6B8A14BFCFCF9E425FCD0A7B0C46CB0333C42BA4B10A1A7DEA0C3EF6F2864E9C
7692powershell.exeC:\Users\admin\AppData\Roaming\WindowsUpdate.ps1text
MD5:47ABE59F50C6D7657E14FBFBB5DB7804
SHA256:36C5D4E97E6DC840EDD07B19E0BE0B3D845519667BBDF8E28D78322DF894C9E1
664powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xbrq4ogy.yvn.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7692powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10e38c.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
7692powershell.exeC:\Users\admin\AppData\Local\Temp\loot.zipcompressed
MD5:76CDB2BAD9582D23C1F6F4D868218D6C
SHA256:8739C76E681F900923B900C9DF0EF75CF421D39CABB54650C4B9AD19B6A76D85
664powershell.exeC:\Users\admin\AppData\Local\Temp\loot.zipcompressed
MD5:C8DE37EB07EE9184CCEDEECD09D2757D
SHA256:5DA8832AFFD91E1FC554E1620C79B8964C330A99AB025D61DCEDEC6590ECD2B8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
27
DNS requests
8
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
7692
powershell.exe
POST
301
209.196.146.115:80
http://attacker.com/upload.php
unknown
malicious
664
powershell.exe
POST
301
209.196.146.115:80
http://attacker.com/upload.php
unknown
malicious
GET
200
209.196.146.115:443
https://attacker.com/upload.php
unknown
html
12.3 Kb
malicious
GET
200
209.196.146.115:443
https://attacker.com/upload.php
unknown
html
12.3 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
7692
powershell.exe
209.196.146.115:80
attacker.com
COGECO-PEER1
US
malicious
7692
powershell.exe
209.196.146.115:443
attacker.com
COGECO-PEER1
US
malicious
664
powershell.exe
209.196.146.115:80
attacker.com
COGECO-PEER1
US
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
attacker.com
  • 209.196.146.115
malicious
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
7692
powershell.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Sending Screenshot in Archive via POST Request
664
powershell.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Sending Screenshot in Archive via POST Request
664
powershell.exe
Misc activity
ET HUNTING ZIP file exfiltration over raw TCP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
file.ps1