File name:

i.ps1

Full analysis: https://app.any.run/tasks/71f7084b-1079-44db-86ef-4bb0d0330ea7
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 11, 2025, 21:43:32
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
api-base64
susp-powershell
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (2718), with no line terminators
MD5:

A82BA476983CA8DBBE118A50F19E0A00

SHA1:

AE963F99C7E608C918D0F26832CA865D6A33A07B

SHA256:

3AA93EFFA3091B75D7E47769E9C73FD69054C34D78FF99501DEA6655B9CEC8B3

SSDEEP:

48:3lW3vJN6RYqXlto43eU0Fwd3M1sCfaL9Y3V1z586/vcHJPA8hy7gTgK:UNX543xSLwGHt86vYP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 4052)
      • powershell.exe (PID: 5156)
      • powershell.exe (PID: 2612)
      • powershell.exe (PID: 2972)
      • powershell.exe (PID: 3080)
      • powershell.exe (PID: 4704)
      • powershell.exe (PID: 2996)
      • powershell.exe (PID: 5568)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 4052)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 4052)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 5936)
      • cmd.exe (PID: 2144)
      • cmd.exe (PID: 3188)
      • SearchFilter.exe (PID: 3208)
      • cmd.exe (PID: 4968)
      • cmd.exe (PID: 5488)
      • powershell.exe (PID: 2996)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 2612)
      • powershell.exe (PID: 2996)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 3732)
      • cmd.exe (PID: 536)
      • cmd.exe (PID: 4972)

    • UAC/LUA settings modification

      • reg.exe (PID: 5992)

    • Disables Windows Defender

      • reg.exe (PID: 4360)
      • reg.exe (PID: 420)
      • reg.exe (PID: 5888)
      • reg.exe (PID: 4824)
      • reg.exe (PID: 5448)

    • Deletes shadow copies

      • powershell.exe (PID: 5568)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 4052)
      • 7z.exe (PID: 5316)
      • SearchFilter.exe (PID: 3208)
      • csc.exe (PID: 1944)
      • SearchFilter.exe (PID: 1448)

    • Drops 7-zip archiver for unpacking

      • powershell.exe (PID: 4052)
      • SearchFilter.exe (PID: 3208)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 4052)

    • Creates new GUID (POWERSHELL)

      • powershell.exe (PID: 4052)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 4052)

    • Process drops legitimate windows executable

      • 7z.exe (PID: 5316)

    • Starts CMD.EXE for commands execution

      • SearchFilter.exe (PID: 3208)
      • SearchFilter.exe (PID: 1448)

    • Starts NET.EXE to display or manage information about active sessions

      • net.exe (PID: 6028)
      • cmd.exe (PID: 1744)

    • Application launched itself

      • SearchFilter.exe (PID: 3208)
      • SearchFilter.exe (PID: 1448)
      • powershell.exe (PID: 2996)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 5936)
      • cmd.exe (PID: 2144)
      • cmd.exe (PID: 3188)
      • cmd.exe (PID: 4968)
      • SearchFilter.exe (PID: 3208)
      • cmd.exe (PID: 5488)
      • powershell.exe (PID: 2996)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 5872)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 2124)

    • Uses WMIC.EXE to obtain local storage devices information

      • cmd.exe (PID: 4520)

    • The process executes Powershell scripts

      • cmd.exe (PID: 3188)
      • cmd.exe (PID: 5488)
      • powershell.exe (PID: 2996)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 1944)

    • Starts process via Powershell

      • powershell.exe (PID: 4704)
      • powershell.exe (PID: 2996)

    • Found strings related to reading or modifying Windows Defender settings

      • SearchFilter.exe (PID: 1448)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 5488)
      • powershell.exe (PID: 2996)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 4668)
      • cmd.exe (PID: 5912)
      • cmd.exe (PID: 4036)
      • cmd.exe (PID: 1864)
      • cmd.exe (PID: 932)
      • cmd.exe (PID: 4824)
      • cmd.exe (PID: 3808)
      • cmd.exe (PID: 4360)
      • cmd.exe (PID: 2828)
      • cmd.exe (PID: 5888)
      • cmd.exe (PID: 3524)
      • cmd.exe (PID: 848)
      • cmd.exe (PID: 3888)
      • cmd.exe (PID: 3828)
      • cmd.exe (PID: 5488)
      • cmd.exe (PID: 3864)
      • cmd.exe (PID: 2744)
      • cmd.exe (PID: 1864)
      • cmd.exe (PID: 5788)
      • cmd.exe (PID: 4824)
      • cmd.exe (PID: 4036)
      • cmd.exe (PID: 4024)
      • cmd.exe (PID: 3920)
      • cmd.exe (PID: 4972)
      • cmd.exe (PID: 536)
      • cmd.exe (PID: 4648)
      • cmd.exe (PID: 2736)
      • cmd.exe (PID: 5856)
      • cmd.exe (PID: 420)
      • cmd.exe (PID: 624)
      • cmd.exe (PID: 5112)
      • cmd.exe (PID: 2904)
      • cmd.exe (PID: 2076)
      • cmd.exe (PID: 3864)
      • cmd.exe (PID: 4648)

    • Modifies existing scheduled task

      • schtasks.exe (PID: 2972)
      • schtasks.exe (PID: 4596)
      • schtasks.exe (PID: 420)
      • schtasks.exe (PID: 420)
      • schtasks.exe (PID: 5212)

    • Executes as Windows Service

      • VSSVC.exe (PID: 4640)

  • INFO

    • Creates files in the program directory

      • powershell.exe (PID: 4052)
      • SearchFilter.exe (PID: 3208)

    • Disables trace logs

      • powershell.exe (PID: 4052)

    • Checks proxy server information

      • powershell.exe (PID: 4052)
      • SearchFilter.exe (PID: 3208)
      • SearchFilter.exe (PID: 1448)

    • The sample compiled with english language support

      • powershell.exe (PID: 4052)
      • 7z.exe (PID: 5316)
      • SearchFilter.exe (PID: 3208)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 4052)

    • Checks supported languages

      • 7z.exe (PID: 5316)
      • SearchFilter.exe (PID: 3208)
      • SearchFilter.exe (PID: 1468)
      • SearchFilter.exe (PID: 3820)
      • csc.exe (PID: 1944)
      • cvtres.exe (PID: 2040)
      • SearchFilter.exe (PID: 1448)
      • SearchFilter.exe (PID: 3700)
      • SearchFilter.exe (PID: 5792)

    • The process uses the downloaded file

      • powershell.exe (PID: 4052)
      • powershell.exe (PID: 4704)
      • powershell.exe (PID: 2996)

    • Reads the computer name

      • 7z.exe (PID: 5316)
      • SearchFilter.exe (PID: 3208)
      • SearchFilter.exe (PID: 1468)
      • SearchFilter.exe (PID: 3820)
      • SearchFilter.exe (PID: 1448)
      • SearchFilter.exe (PID: 3700)
      • SearchFilter.exe (PID: 5792)

    • Create files in a temporary directory

      • 7z.exe (PID: 5316)
      • SearchFilter.exe (PID: 3208)
      • csc.exe (PID: 1944)
      • cvtres.exe (PID: 2040)
      • SearchFilter.exe (PID: 1448)

    • The executable file from the user directory is run by the Powershell process

      • SearchFilter.exe (PID: 3208)
      • SearchFilter.exe (PID: 1448)

    • Reads Environment values

      • SearchFilter.exe (PID: 3208)
      • SearchFilter.exe (PID: 1448)

    • Reads product name

      • SearchFilter.exe (PID: 3208)
      • SearchFilter.exe (PID: 1448)

    • Reads the machine GUID from the registry

      • SearchFilter.exe (PID: 3208)
      • csc.exe (PID: 1944)
      • SearchFilter.exe (PID: 1448)

    • Process checks computer location settings

      • SearchFilter.exe (PID: 3208)
      • SearchFilter.exe (PID: 1448)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 5872)
      • WMIC.exe (PID: 848)

    • Creates files or folders in the user directory

      • SearchFilter.exe (PID: 3208)

    • Found Base64 encoded access to processes via PowerShell (YARA)

      • SearchFilter.exe (PID: 3208)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • SearchFilter.exe (PID: 3208)

    • Potential access to remote process (Base64 Encoded 'OpenProcess')

      • SearchFilter.exe (PID: 3208)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5568)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5568)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
293
Monitored processes
172
Malicious processes
6
Suspicious processes
10

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs 7z.exe conhost.exe no specs searchfilter.exe cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs searchfilter.exe no specs searchfilter.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs searchfilter.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs searchfilter.exe no specs searchfilter.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs vssadmin.exe no specs vssvc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
308\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
396\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
396reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
420reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
420reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
420C:\WINDOWS\system32\cmd.exe /d /s /c "reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f"C:\Windows\System32\cmd.exeSearchFilter.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
420schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /DisableC:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
420schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /DisableC:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
536C:\WINDOWS\system32\cmd.exe /d /s /c "schtasks /create /tn "\Microsoft\Windows\Device Guide\RegisterDevicePowerStateChange" /tr "C:\ProgramData\DiagnosisSync\current\Microsoft.exe" /sc once /st 00:00 /du 9999:59 /ri 60 /RL HIGHEST /F"C:\Windows\System32\cmd.exeSearchFilter.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
536\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
42 130
Read events
42 091
Write events
31
Delete events
8

Modification events

(PID) Process:(4556) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\WindowsDefenderSecurityCenter
Operation:writeName:Enabled
Value:
0
(PID) Process:(2680) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications
Operation:writeName:ToastEnabled
Value:
0
(PID) Process:(2928) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
Operation:writeName:DisableNotifications
Value:
1
(PID) Process:(4648) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile
Operation:writeName:DisableNotifications
Value:
1
(PID) Process:(5404) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications
Operation:writeName:DisableEnhancedNotifications
Value:
1
(PID) Process:(5992) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager
Operation:delete keyName:(default)
Value:
(PID) Process:(5992) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
Operation:delete keyName:(default)
Value:
(PID) Process:(5992) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet
Operation:delete keyName:(default)
Value:
(PID) Process:(5992) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
Operation:delete keyName:(default)
Value:
(PID) Process:(1864) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
Operation:writeName:AllowFastServiceStartup
Value:
0
Executable files
17
Suspicious files
68
Text files
21
Unknown types
0

Dropped files

PID
Process
Filename
Type
4052powershell.exeC:\Users\admin\AppData\Local\Temp\e87a60c4-a397-4d48-b5c3-88218bdb7e7d.7z
MD5:
SHA256:
53167z.exeC:\Users\admin\AppData\Local\Temp\1a85e367-4a9c-471a-9849-9f9286e2a5f2\icudtl.dat
MD5:
SHA256:
4052powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_240yibtp.wwi.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4052powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pollfs2j.ctq.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
53167z.exeC:\Users\admin\AppData\Local\Temp\1a85e367-4a9c-471a-9849-9f9286e2a5f2\chrome_200_percent.pakbinary
MD5:4610337E3332B7E65B73A6EA738B47DF
SHA256:C91ABF556E55C29D1EA9F560BB17CC3489CB67A5D0C7A22B58485F5F2FBCF25C
4052powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F0OGQGM58H4VPSTW34MB.tempbinary
MD5:A6B94835B1807C66281AB50FD2F3C60A
SHA256:6D90E2369EF2E0F93F637C7315900086C19A7828975686064FC5E2E39CADC410
53167z.exeC:\Users\admin\AppData\Local\Temp\1a85e367-4a9c-471a-9849-9f9286e2a5f2\chrome_100_percent.pakbinary
MD5:ACD0FA0A90B43CD1C87A55A991B4FAC3
SHA256:CCBCA246B9A93FA8D4F01A01345E7537511C590E4A8EFD5777B1596D10923B4B
4052powershell.exeC:\ProgramData\sevenZip\7z.exeexecutable
MD5:9F018E5FEB96AAE0E893A739C83A8B1F
SHA256:D2C0045523CF053A6B43F9315E9672FC2535F06AEADD4FFA53C729CD8B2B6DFE
53167z.exeC:\Users\admin\AppData\Local\Temp\1a85e367-4a9c-471a-9849-9f9286e2a5f2\locales\bg.pakbinary
MD5:A19269683A6347E07C55325B9ECC03A4
SHA256:AD65351A240205E881EF5C4CF30AD1BC6B6E04414343583597086B62D48D8A24
53167z.exeC:\Users\admin\AppData\Local\Temp\1a85e367-4a9c-471a-9849-9f9286e2a5f2\locales\bn.pakbinary
MD5:5CDD07FA357C846771058C2DB67EB13B
SHA256:01C830B0007B8CE6ACA46E26D812947C3DF818927B826F7D8C5FFD0008A32384
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
28
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2624
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2624
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
302
140.82.121.3:443
https://github.com/Fxkw45/delhi-metro/releases/download/metro/SearchFilter.7z
unknown
GET
302
140.82.121.3:443
https://github.com/monasterydiv7786-1/records-at-large/releases/download/scoopunit/django
unknown
GET
302
140.82.121.3:443
https://github.com/nguyendeptrai2004/ARFramework/releases/download/Muck/BitDefender.7z
unknown
GET
200
49.12.202.237:443
https://www.7-zip.org/a/7zr.exe
unknown
executable
579 Kb
whitelisted
GET
200
188.114.96.3:443
https://rlim.com/seraswodinsx/raw
unknown
text
192 b
GET
200
140.82.121.3:443
https://github.com/
unknown
html
261 Kb
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2624
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.227.208:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2624
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2624
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
www.bing.com
  • 2.23.227.208
  • 2.23.227.215
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
www.7-zip.org
  • 49.12.202.237
whitelisted
rlim.com
  • 188.114.96.3
  • 188.114.97.3
unknown
github.com
  • 140.82.121.3
shared
objects.githubusercontent.com
  • 185.199.108.133
  • 185.199.109.133
  • 185.199.110.133
  • 185.199.111.133
shared
self.events.data.microsoft.com
  • 40.79.173.41
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
i.ps1