File name:

sandbox.ps1

Full analysis: https://app.any.run/tasks/2afd84df-6d84-497a-be30-85f461c6714f
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: November 24, 2024, 21:25:00
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

8764A988CD7F0E0DB0215F83BECB7AD2

SHA1:

9C8139641005EFF30C5E8A96BE33E8E539A28EC6

SHA256:

47BBE1308EAEFE5F64F17F546087CBAEEA982E8C2AEC36DF4BA3F9181798826C

SSDEEP:

6:SEhbKAIJrL4XRUs76NOctnyeAz9N8vSWV2Vr/x1EwKBM3S1RpTCsu2xK5rgpieZr:pQRiRUs7TctPAz9N8vSWVOjaIS1fC2kc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 5308)

    • Modifies registry (POWERSHELL)

      • powershell.exe (PID: 5308)

    • Actions looks like stealing of personal data

      • msiexec.exe (PID: 3744)

    • Steals credentials from Web Browsers

      • msiexec.exe (PID: 3744)

  • SUSPICIOUS

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 5308)

    • Extracts files to a directory (POWERSHELL)

      • powershell.exe (PID: 5308)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 5308)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 5308)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 5308)
      • mdnsresponder.exe (PID: 4740)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 5308)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 5308)

    • The process drops C-runtime libraries

      • powershell.exe (PID: 5308)

    • Process drops SQLite DLL files

      • powershell.exe (PID: 5308)
      • mdnsresponder.exe (PID: 4740)

    • Starts application with an unusual extension

      • mdnsresponder.exe (PID: 4740)

  • INFO

    • Disables trace logs

      • powershell.exe (PID: 5308)

    • Checks proxy server information

      • powershell.exe (PID: 5308)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5308)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 5308)

    • The process uses the downloaded file

      • powershell.exe (PID: 5308)

    • Reads the computer name

      • mdnsresponder.exe (PID: 4740)
      • more.com (PID: 5720)

    • The executable file from the user directory is run by the Powershell process

      • mdnsresponder.exe (PID: 4740)

    • Checks supported languages

      • mdnsresponder.exe (PID: 4740)
      • more.com (PID: 5720)

    • Creates files or folders in the user directory

      • mdnsresponder.exe (PID: 4740)

    • Create files in a temporary directory

      • more.com (PID: 5720)
      • mdnsresponder.exe (PID: 4740)

    • Reads the software policy settings

      • msiexec.exe (PID: 3744)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
6
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs mdnsresponder.exe more.com no specs conhost.exe no specs msiexec.exe

Process information

PID
CMD
Path
Indicators
Parent process
3208\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exemore.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3744C:\WINDOWS\SysWOW64\msiexec.exeC:\Windows\SysWOW64\msiexec.exe
more.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\jginiadxorqa
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4740"C:\Users\admin\AppData\Roaming\YrsbtdxL\mdnsresponder.exe" C:\Users\admin\AppData\Roaming\YrsbtdxL\mdnsresponder.exe
powershell.exe
User:
admin
Company:
iTop Inc.
Integrity Level:
MEDIUM
Description:
iTop Data Recovery Service
Exit code:
1
Version:
4.0.0.168
Modules
Images
c:\users\admin\appdata\roaming\yrsbtdxl\mdnsresponder.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
5096\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5308"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\sandbox.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
5720C:\WINDOWS\SysWOW64\more.comC:\Windows\SysWOW64\more.commdnsresponder.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
More Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\more.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ulib.dll
Total events
9 207
Read events
9 206
Write events
1
Delete events
0

Modification events

(PID) Process:(5308) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:NetUtilityApp
Value:
C:\Users\admin\AppData\Roaming\YrsbtdxL\mdnsresponder.exe
Executable files
78
Suspicious files
10
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
5308powershell.exeC:\Users\admin\AppData\Roaming\YrsbtdxL\HtmlRenderer.dllexecutable
MD5:5CBE9851C19E0E20E503C5445A362BD4
SHA256:DB83DF8E7C877FFB0916C14C9AD6D31FD4C27CAA8CF70FEE780F6FEE15A81640
5308powershell.exeC:\Users\admin\AppData\Roaming\LuLUoTPN.zipcompressed
MD5:336AE4F91BDAAB9FD548A0BB96E85BF3
SHA256:B9068030CEDBF08F1149951AD6AFDDE65025383E3D27E2123ECE23F6363DDE51
5308powershell.exeC:\Users\admin\AppData\Roaming\YrsbtdxL\Microsoft.Web.WebView2.Core.dllexecutable
MD5:28C6A96591A4890D33DEAA7DBABEBF10
SHA256:6E7B8869B538417CC361C97A37F7CEEC92DDC8AD84E0585BCF7021DABBF6F985
5308powershell.exeC:\Users\admin\AppData\Roaming\YrsbtdxL\Manifest-Operations-Shared.dllexecutable
MD5:974953859D720C9ADF8827E9EE70575D
SHA256:E52B25435D9F626750A2B2DBE31918CD7A32C66809BA2CD50D92E12C9AF8D0E4
5308powershell.exeC:\Users\admin\AppData\Roaming\YrsbtdxL\HtmlRenderer.PdfSharp.dllexecutable
MD5:F8730360B74E1FBFD46B6EC8E4209ACC
SHA256:BDDC95E5EED0A68A54FCF2DFA99548642966DFDBF9B91940FF028E1EBF0ACDBD
5308powershell.exeC:\Users\admin\AppData\Roaming\YrsbtdxL\Microsoft.AppCenter.Crashes.dllexecutable
MD5:C3EA6FFEBCF0943FEFC6A793CE84E33B
SHA256:1F4113C085C5AB1ED9DE41DDE307A28632851444F331F90CA1B5B76159794FEC
5308powershell.exeC:\Users\admin\AppData\Roaming\YrsbtdxL\HEIC_SWIG_DLL_v142.dllexecutable
MD5:0EDD60513A12689189309B50261E8979
SHA256:54F9E01DF5A6061A4D84BDC0FC0D263A70F4FA2BAE307146BAE9D00B90226DAB
5308powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:C11A6684FB43DE1CFA3E8ED85D6DB33C
SHA256:AA7E54A8DF9FC1F76CE066466BA5B4442443BD49ABBE426AA89C0B63726DE5A1
5308powershell.exeC:\Users\admin\AppData\Roaming\YrsbtdxL\HEIC_DLL_v142.dllexecutable
MD5:A706480C10F094BBCE144E92A48A9E63
SHA256:27D4A7C49206D81B0BCDBD2922C0A1BC36177ECB315041233126B654A78A8A86
5308powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MR4QGH8UIM20RMJ7H8UA.tempbinary
MD5:C11A6684FB43DE1CFA3E8ED85D6DB33C
SHA256:AA7E54A8DF9FC1F76CE066466BA5B4442443BD49ABBE426AA89C0B63726DE5A1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
28
DNS requests
9
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4328
svchost.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1868
RUXIMICS.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4328
svchost.exe
GET
200
104.119.109.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
104.119.109.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
104.21.20.178:443
https://sturdy-operated.cyou/api
unknown
text
15 b
unknown
POST
200
172.67.193.71:443
https://sturdy-operated.cyou/api
unknown
text
15 b
unknown
POST
200
104.21.20.178:443
https://sturdy-operated.cyou/api
unknown
text
48 b
unknown
POST
200
104.21.20.178:443
https://sturdy-operated.cyou/api
unknown
text
15 b
unknown
POST
200
172.67.193.71:443
https://sturdy-operated.cyou/api
unknown
text
15 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1868
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4328
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2.22.50.217:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4328
svchost.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
4712
MoUsoCoreWorker.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
1868
RUXIMICS.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
4712
MoUsoCoreWorker.exe
104.119.109.218:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
www.bing.com
  • 2.22.50.217
  • 2.22.50.227
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 2.19.11.105
  • 2.19.11.120
whitelisted
www.microsoft.com
  • 104.119.109.218
whitelisted
new64.oss-ap-southeast-1.aliyuncs.com
  • 47.79.48.241
unknown
sturdy-operated.cyou
  • 104.21.20.178
  • 172.67.193.71
unknown
self.events.data.microsoft.com
  • 104.208.16.91
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
5308
powershell.exe
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
sandbox.ps1