File name:

sandbox.ps1

Full analysis: https://app.any.run/tasks/2afd84df-6d84-497a-be30-85f461c6714f
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: November 24, 2024, 21:25:00
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

8764A988CD7F0E0DB0215F83BECB7AD2

SHA1:

9C8139641005EFF30C5E8A96BE33E8E539A28EC6

SHA256:

47BBE1308EAEFE5F64F17F546087CBAEEA982E8C2AEC36DF4BA3F9181798826C

SSDEEP:

6:SEhbKAIJrL4XRUs76NOctnyeAz9N8vSWV2Vr/x1EwKBM3S1RpTCsu2xK5rgpieZr:pQRiRUs7TctPAz9N8vSWVOjaIS1fC2kc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 5308)

    • Modifies registry (POWERSHELL)

      • powershell.exe (PID: 5308)

    • Actions looks like stealing of personal data

      • msiexec.exe (PID: 3744)

    • Steals credentials from Web Browsers

      • msiexec.exe (PID: 3744)

  • SUSPICIOUS

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 5308)

    • Extracts files to a directory (POWERSHELL)

      • powershell.exe (PID: 5308)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 5308)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 5308)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 5308)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 5308)
      • mdnsresponder.exe (PID: 4740)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 5308)

    • Process drops SQLite DLL files

      • powershell.exe (PID: 5308)
      • mdnsresponder.exe (PID: 4740)

    • The process drops C-runtime libraries

      • powershell.exe (PID: 5308)

    • Starts application with an unusual extension

      • mdnsresponder.exe (PID: 4740)

  • INFO

    • Checks proxy server information

      • powershell.exe (PID: 5308)

    • Disables trace logs

      • powershell.exe (PID: 5308)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5308)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 5308)

    • The process uses the downloaded file

      • powershell.exe (PID: 5308)

    • The executable file from the user directory is run by the Powershell process

      • mdnsresponder.exe (PID: 4740)

    • Checks supported languages

      • mdnsresponder.exe (PID: 4740)
      • more.com (PID: 5720)

    • Reads the computer name

      • mdnsresponder.exe (PID: 4740)
      • more.com (PID: 5720)

    • Create files in a temporary directory

      • mdnsresponder.exe (PID: 4740)
      • more.com (PID: 5720)

    • Reads the software policy settings

      • msiexec.exe (PID: 3744)

    • Creates files or folders in the user directory

      • mdnsresponder.exe (PID: 4740)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
6
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs mdnsresponder.exe more.com no specs conhost.exe no specs msiexec.exe

Process information

PID
CMD
Path
Indicators
Parent process
3208\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exemore.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3744C:\WINDOWS\SysWOW64\msiexec.exeC:\Windows\SysWOW64\msiexec.exe
more.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\jginiadxorqa
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4740"C:\Users\admin\AppData\Roaming\YrsbtdxL\mdnsresponder.exe" C:\Users\admin\AppData\Roaming\YrsbtdxL\mdnsresponder.exe
powershell.exe
User:
admin
Company:
iTop Inc.
Integrity Level:
MEDIUM
Description:
iTop Data Recovery Service
Exit code:
1
Version:
4.0.0.168
Modules
Images
c:\users\admin\appdata\roaming\yrsbtdxl\mdnsresponder.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
5096\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5308"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\sandbox.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
5720C:\WINDOWS\SysWOW64\more.comC:\Windows\SysWOW64\more.commdnsresponder.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
More Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\more.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ulib.dll
Total events
9 207
Read events
9 206
Write events
1
Delete events
0

Modification events

(PID) Process:(5308) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:NetUtilityApp
Value:
C:\Users\admin\AppData\Roaming\YrsbtdxL\mdnsresponder.exe
Executable files
78
Suspicious files
10
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
5308powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1361bb.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
5308powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gr4avlul.4bo.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5308powershell.exeC:\Users\admin\AppData\Roaming\YrsbtdxL\HEIC_SWIG_DLL_v142.dllexecutable
MD5:0EDD60513A12689189309B50261E8979
SHA256:54F9E01DF5A6061A4D84BDC0FC0D263A70F4FA2BAE307146BAE9D00B90226DAB
5308powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2zckfof5.fde.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5308powershell.exeC:\Users\admin\AppData\Roaming\YrsbtdxL\HEIC-NET.dllexecutable
MD5:F71EAB315B80F78427311034A6BB46E2
SHA256:4F27E6E32F1DFF1BC6B0F4E79B32A07DA5554844CE4820A7920E5107C67F2F40
5308powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MR4QGH8UIM20RMJ7H8UA.tempbinary
MD5:C11A6684FB43DE1CFA3E8ED85D6DB33C
SHA256:AA7E54A8DF9FC1F76CE066466BA5B4442443BD49ABBE426AA89C0B63726DE5A1
5308powershell.exeC:\Users\admin\AppData\Roaming\YrsbtdxL\Microsoft.AppCenter.Analytics.dllexecutable
MD5:06C46082C5D357EABCA5698946BDDF19
SHA256:52591E162196D5EB495E9530A0334A72D940EFA977881B31EF4A399BB275E13B
5308powershell.exeC:\Users\admin\AppData\Roaming\YrsbtdxL\Microsoft.Web.WebView2.WinForms.dllexecutable
MD5:46128473A0B3ECAA7C8980B1F8DB78DA
SHA256:9BAC64579FB676AA77D79CB469FFD4F9F69A64EF0838F52DD1AF87931924F913
5308powershell.exeC:\Users\admin\AppData\Roaming\YrsbtdxL\Microsoft.AppCenter.Crashes.dllexecutable
MD5:C3EA6FFEBCF0943FEFC6A793CE84E33B
SHA256:1F4113C085C5AB1ED9DE41DDE307A28632851444F331F90CA1B5B76159794FEC
5308powershell.exeC:\Users\admin\AppData\Roaming\YrsbtdxL\mdnsresponder.exeexecutable
MD5:EC539C4A9C60B3690FBD891E19333362
SHA256:1D60149CE640F4E07BCEEB8940950441025277F1EBA4F501F8AFE558030B34FE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
28
DNS requests
9
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4328
svchost.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
104.119.109.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4328
svchost.exe
GET
200
104.119.109.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1868
RUXIMICS.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1868
RUXIMICS.exe
GET
200
104.119.109.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
47.79.48.241:443
https://new64.oss-ap-southeast-1.aliyuncs.com/GqHQWNMv.txt
unknown
text
21.1 Mb
POST
200
172.67.193.71:443
https://sturdy-operated.cyou/api
unknown
text
2 b
POST
200
104.21.20.178:443
https://sturdy-operated.cyou/api
unknown
text
15 b
POST
200
172.67.193.71:443
https://sturdy-operated.cyou/api
unknown
text
15 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1868
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4328
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2.22.50.217:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4328
svchost.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
4712
MoUsoCoreWorker.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
1868
RUXIMICS.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
4712
MoUsoCoreWorker.exe
104.119.109.218:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
www.bing.com
  • 2.22.50.217
  • 2.22.50.227
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 2.19.11.105
  • 2.19.11.120
whitelisted
www.microsoft.com
  • 104.119.109.218
whitelisted
new64.oss-ap-southeast-1.aliyuncs.com
  • 47.79.48.241
unknown
sturdy-operated.cyou
  • 104.21.20.178
  • 172.67.193.71
unknown
self.events.data.microsoft.com
  • 104.208.16.91
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
5308
powershell.exe
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
sandbox.ps1